Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
N1aqZIb7KG.exe

Overview

General Information

Sample name:N1aqZIb7KG.exe
renamed because original name is a hash value
Original sample name:5ffc76cfa5ade6017fff6b56c343f718.exe
Analysis ID:1355317
MD5:5ffc76cfa5ade6017fff6b56c343f718
SHA1:ac5b3889af5e488c26102b1b886c00ae0b15aebc
SHA256:26b9f4e5aeae4aa95e44a9a9d51d028b30bd6c9f329bbe8b52511c65ba294fb3
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Njrat
.NET source code contains potential unpacker
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Deletes itself after installation
Disables the Windows task manager (taskmgr)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • N1aqZIb7KG.exe (PID: 1880 cmdline: C:\Users\user\Desktop\N1aqZIb7KG.exe MD5: 5FFC76CFA5ADE6017FFF6B56C343F718)
    • netsh.exe (PID: 5448 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe" "N1aqZIb7KG.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 3164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 1592 cmdline: netsh firewall delete allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 4232 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe" "N1aqZIb7KG.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 5036 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" MD5: 5FFC76CFA5ADE6017FFF6B56C343F718)
      • netsh.exe (PID: 6456 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 2120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 4092 cmdline: netsh firewall delete allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 7040 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 2664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SIHClient.exe (PID: 5448 cmdline: C:\Windows\System32\sihclient.exe /cv 9rGOcCJ3NE2Fxvl5hzRMzQ.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)
  • Explower.exe (PID: 1616 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe" MD5: 5FFC76CFA5ADE6017FFF6B56C343F718)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "eafe3130af183c86c36221806d0c196a", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
N1aqZIb7KG.exeJoeSecurity_NjratYara detected NjratJoe Security
    N1aqZIb7KG.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x115d2:$a1: get_Registry
    • 0x15a27:$a2: SEE_MASK_NOZONECHECKS
    • 0x156c9:$a3: Download ERROR
    • 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13c06:$a5: netsh firewall delete allowedprogram "
    N1aqZIb7KG.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x15c79:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x13792:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x156e7:$s3: Executed As
    • 0x124f0:$s5: Stub.exe
    • 0x156c9:$s6: Download ERROR
    • 0x13754:$s8: Select * From AntiVirusProduct
    N1aqZIb7KG.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15a27:$reg: SEE_MASK_NOZONECHECKS
    • 0x156ad:$msg: Execute ERROR
    • 0x15701:$msg: Execute ERROR
    • 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
    N1aqZIb7KG.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x13c06:$s1: netsh firewall delete allowedprogram
    • 0x13c58:$s2: netsh firewall add allowedprogram
    • 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x156ad:$s4: Execute ERROR
    • 0x15701:$s4: Execute ERROR
    • 0x156c9:$s5: Download ERROR

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\Explower.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Program Files (x86)\Explower.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x115d2:$a1: get_Registry
      • 0x15a27:$a2: SEE_MASK_NOZONECHECKS
      • 0x156c9:$a3: Download ERROR
      • 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x13c06:$a5: netsh firewall delete allowedprogram "
      C:\Program Files (x86)\Explower.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x15c79:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x13792:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0x156e7:$s3: Executed As
      • 0x124f0:$s5: Stub.exe
      • 0x156c9:$s6: Download ERROR
      • 0x13754:$s8: Select * From AntiVirusProduct
      C:\Program Files (x86)\Explower.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x15a27:$reg: SEE_MASK_NOZONECHECKS
      • 0x156ad:$msg: Execute ERROR
      • 0x15701:$msg: Execute ERROR
      • 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
      C:\Program Files (x86)\Explower.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
      • 0x13c06:$s1: netsh firewall delete allowedprogram
      • 0x13c58:$s2: netsh firewall add allowedprogram
      • 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
      • 0x156ad:$s4: Execute ERROR
      • 0x15701:$s4: Execute ERROR
      • 0x156c9:$s5: Download ERROR
      Click to see the 50 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x113d2:$a1: get_Registry
        • 0x15827:$a2: SEE_MASK_NOZONECHECKS
        • 0x154c9:$a3: Download ERROR
        • 0x15a79:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x13a06:$a5: netsh firewall delete allowedprogram "
        00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x15827:$reg: SEE_MASK_NOZONECHECKS
        • 0x154ad:$msg: Execute ERROR
        • 0x15501:$msg: Execute ERROR
        • 0x15a79:$ping: cmd.exe /c ping 0 -n 2 & del
        00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          Process Memory Space: N1aqZIb7KG.exe PID: 1880JoeSecurity_NjratYara detected NjratJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.0.N1aqZIb7KG.exe.530000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
              1.0.N1aqZIb7KG.exe.530000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
              • 0x115d2:$a1: get_Registry
              • 0x15a27:$a2: SEE_MASK_NOZONECHECKS
              • 0x156c9:$a3: Download ERROR
              • 0x15c79:$a4: cmd.exe /c ping 0 -n 2 & del "
              • 0x13c06:$a5: netsh firewall delete allowedprogram "
              1.0.N1aqZIb7KG.exe.530000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
              • 0x15c79:$x1: cmd.exe /c ping 0 -n 2 & del "
              • 0x13792:$s1: winmgmts:\\.\root\SecurityCenter2
              • 0x156e7:$s3: Executed As
              • 0x124f0:$s5: Stub.exe
              • 0x156c9:$s6: Download ERROR
              • 0x13754:$s8: Select * From AntiVirusProduct
              1.0.N1aqZIb7KG.exe.530000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
              • 0x15a27:$reg: SEE_MASK_NOZONECHECKS
              • 0x156ad:$msg: Execute ERROR
              • 0x15701:$msg: Execute ERROR
              • 0x15c79:$ping: cmd.exe /c ping 0 -n 2 & del
              1.0.N1aqZIb7KG.exe.530000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
              • 0x13c06:$s1: netsh firewall delete allowedprogram
              • 0x13c58:$s2: netsh firewall add allowedprogram
              • 0x15c79:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
              • 0x156ad:$s4: Execute ERROR
              • 0x15701:$s4: Execute ERROR
              • 0x156c9:$s5: Download ERROR

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: N1aqZIb7KG.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Found malware configuration
              Source: 1.0.N1aqZIb7KG.exe.530000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "eafe3130af183c86c36221806d0c196a", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
              Multi AV Scanner detection for dropped file
              Source: C:\Program Files (x86)\Explower.exeReversingLabs: Detection: 83%
              Source: C:\Users\user\AppData\Local\Explower.exeReversingLabs: Detection: 83%
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeReversingLabs: Detection: 83%
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeReversingLabs: Detection: 83%
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeReversingLabs: Detection: 83%
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeReversingLabs: Detection: 83%
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeReversingLabs: Detection: 83%
              Source: C:\Users\user\Desktop\Explower.exeReversingLabs: Detection: 83%
              Source: C:\Users\user\Documents\Explower.exeReversingLabs: Detection: 83%
              Source: C:\Users\user\Favorites\Explower.exeReversingLabs: Detection: 83%
              Source: C:\Windows\SysWOW64\Explower.exeReversingLabs: Detection: 83%
              Multi AV Scanner detection for submitted file
              Source: N1aqZIb7KG.exeReversingLabs: Detection: 83%
              Yara detected Njrat
              Source: Yara matchFile source: N1aqZIb7KG.exe, type: SAMPLE
              Source: Yara matchFile source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: N1aqZIb7KG.exe PID: 1880, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5036, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 1616, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Machine Learning detection for dropped file
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeJoe Sandbox ML: detected
              Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: N1aqZIb7KG.exeJoe Sandbox ML: detected
              Source: N1aqZIb7KG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: N1aqZIb7KG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Spreading

              barindex
              Contains functionality to spread to USB devices (.Net source)
              Source: N1aqZIb7KG.exe, Usb1.cs.Net Code: infect
              Source: Explower.exe.1.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe0.1.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe1.1.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe2.1.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe3.1.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe4.1.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe5.1.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe6.1.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe7.1.dr, Usb1.cs.Net Code: infect
              Source: Explower.exe8.1.dr, Usb1.cs.Net Code: infect
              Source: N1aqZIb7KG.exe, 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
              Source: N1aqZIb7KG.exe, 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
              Source: N1aqZIb7KG.exe, 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
              Source: N1aqZIb7KG.exeBinary or memory string: \autorun.inf
              Source: N1aqZIb7KG.exeBinary or memory string: [autorun]
              Source: N1aqZIb7KG.exeBinary or memory string: autorun.inf
              Source: Explower.exe4.1.drBinary or memory string: \autorun.inf
              Source: Explower.exe4.1.drBinary or memory string: [autorun]
              Source: Explower.exe4.1.drBinary or memory string: autorun.inf
              Source: Explower.exe2.1.drBinary or memory string: \autorun.inf
              Source: Explower.exe2.1.drBinary or memory string: [autorun]
              Source: Explower.exe2.1.drBinary or memory string: autorun.inf
              Source: Explower.exe1.1.drBinary or memory string: \autorun.inf
              Source: Explower.exe1.1.drBinary or memory string: [autorun]
              Source: Explower.exe1.1.drBinary or memory string: autorun.inf
              Source: Explower.exe6.1.drBinary or memory string: \autorun.inf
              Source: Explower.exe6.1.drBinary or memory string: [autorun]
              Source: Explower.exe6.1.drBinary or memory string: autorun.inf
              Source: Explower.exe.1.drBinary or memory string: \autorun.inf
              Source: Explower.exe.1.drBinary or memory string: [autorun]
              Source: Explower.exe.1.drBinary or memory string: autorun.inf
              Source: Explower.exe3.1.drBinary or memory string: \autorun.inf
              Source: Explower.exe3.1.drBinary or memory string: [autorun]
              Source: Explower.exe3.1.drBinary or memory string: autorun.inf
              Source: Explower.exe7.1.drBinary or memory string: \autorun.inf
              Source: Explower.exe7.1.drBinary or memory string: [autorun]
              Source: Explower.exe7.1.drBinary or memory string: autorun.inf
              Source: Explower.exe8.1.drBinary or memory string: \autorun.inf
              Source: Explower.exe8.1.drBinary or memory string: [autorun]
              Source: Explower.exe8.1.drBinary or memory string: autorun.inf
              Source: Explower.exe5.1.drBinary or memory string: \autorun.inf
              Source: Explower.exe5.1.drBinary or memory string: [autorun]
              Source: Explower.exe5.1.drBinary or memory string: autorun.inf
              Source: svchost.exe.1.drBinary or memory string: \autorun.inf
              Source: svchost.exe.1.drBinary or memory string: [autorun]
              Source: svchost.exe.1.drBinary or memory string: autorun.inf
              Source: Explower.exe0.1.drBinary or memory string: \autorun.inf
              Source: Explower.exe0.1.drBinary or memory string: [autorun]
              Source: Explower.exe0.1.drBinary or memory string: autorun.inf
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Jump to behavior

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeNetwork Connect: 18.197.239.109 13150Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeNetwork Connect: 3.68.171.119 13150Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.6:49709 -> 3.68.171.119:13150
              Source: global trafficTCP traffic: 192.168.2.6:49725 -> 18.197.239.109:13150
              Source: global trafficTCP traffic: 192.168.2.6:49739 -> 52.28.247.255:13150
              Source: Joe Sandbox ViewIP Address: 52.28.247.255 52.28.247.255
              Source: Joe Sandbox ViewIP Address: 18.197.239.109 18.197.239.109
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownDNS traffic detected: queries for: 6.tcp.eu.ngrok.io
              Source: SIHClient.exe, 00000010.00000003.2295775556.0000026001E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros#
              Source: SIHClient.exe, 00000010.00000002.2688090120.0000026002699000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsofto
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              E-Banking Fraud

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: N1aqZIb7KG.exe, type: SAMPLE
              Source: Yara matchFile source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: N1aqZIb7KG.exe PID: 1880, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5036, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 1616, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: N1aqZIb7KG.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: N1aqZIb7KG.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: N1aqZIb7KG.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: N1aqZIb7KG.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeCode function: 1_2_055900F6 NtQuerySystemInformation,1_2_055900F6
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeCode function: 1_2_055900BB NtQuerySystemInformation,1_2_055900BB
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_059F0032 NtQuerySystemInformation,8_2_059F0032
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_059F0006 NtQuerySystemInformation,8_2_059F0006
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeCode function: 1_2_00F642981_2_00F64298
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeCode function: 1_2_00F642871_2_00F64287
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_050342988_2_05034298
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_050350008_2_05035000
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_0503470F8_2_0503470F
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_05034F2F8_2_05034F2F
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_050346308_2_05034630
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_050349368_2_05034936
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_050345448_2_05034544
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_05034B5B8_2_05034B5B
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_050354598_2_05035459
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_0503505D8_2_0503505D
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_0503536F8_2_0503536F
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_0503428F8_2_0503428F
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_05034C8F8_2_05034C8F
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_0503499D8_2_0503499D
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_05034F9D8_2_05034F9D
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_050347D48_2_050347D4
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_050350E38_2_050350E3
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_050344F18_2_050344F1
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_050349F98_2_050349F9
              Source: N1aqZIb7KG.exe, 00000001.00000002.2132625736.0000000000B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs N1aqZIb7KG.exe
              Source: N1aqZIb7KG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: N1aqZIb7KG.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: N1aqZIb7KG.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: N1aqZIb7KG.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: N1aqZIb7KG.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
              Source: classification engineClassification label: mal100.spre.troj.adwa.evad.winEXE@23/37@6/3
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeCode function: 1_2_00B0BE76 AdjustTokenPrivileges,1_2_00B0BE76
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeCode function: 1_2_00B0BE3F AdjustTokenPrivileges,1_2_00B0BE3F
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_0272BD4E AdjustTokenPrivileges,8_2_0272BD4E
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeCode function: 8_2_0272BD17 AdjustTokenPrivileges,8_2_0272BD17
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Program Files (x86)\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
              Source: C:\Windows\System32\SIHClient.exeMutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3164:120:WilError_03
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\eafe3130af183c86c36221806d0c196a
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2664:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2528:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2120:120:WilError_03
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
              Source: N1aqZIb7KG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: N1aqZIb7KG.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\276d7f4a20a3c21c3bf6fc9bfc1915a2\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: N1aqZIb7KG.exeReversingLabs: Detection: 83%
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile read: C:\Users\user\Desktop\N1aqZIb7KG.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\N1aqZIb7KG.exe C:\Users\user\Desktop\N1aqZIb7KG.exe
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe" "N1aqZIb7KG.exe" ENABLE
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe"
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe" "N1aqZIb7KG.exe" ENABLE
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe"
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe"
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv 9rGOcCJ3NE2Fxvl5hzRMzQ.0.2
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe" "N1aqZIb7KG.exe" ENABLEJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe"Jump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe" "N1aqZIb7KG.exe" ENABLEJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLEJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLEJump to behavior
              Source: C:\Windows\System32\SIHClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07369A67-07A6-4608-ABEA-379491CB7C46}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: N1aqZIb7KG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
              Source: N1aqZIb7KG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: N1aqZIb7KG.exe, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe0.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe1.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe2.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe3.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe4.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe5.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe6.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe7.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: Explower.exe8.1.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

              Persistence and Installation Behavior

              barindex
              Drops PE files to the document folder of the user
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\Documents\Explower.exeJump to dropped file
              Drops PE files with benign system names
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\Documents\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\Favorites\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Local\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Program Files (x86)\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\Desktop\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Program Files (x86)\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the startup folder
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to dropped file
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe\:Zone.Identifier:$DATAJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Deletes itself after installation
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeFile deleted: c:\users\user\desktop\n1aqzib7kg.exeJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeWindow / User API: threadDelayed 352Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeWindow / User API: threadDelayed 3815Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeWindow / User API: threadDelayed 4397Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeWindow / User API: foregroundWindowGot 603Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeWindow / User API: foregroundWindowGot 638Jump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exe TID: 4568Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe TID: 3796Thread sleep time: -35200s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe TID: 5056Thread sleep time: -3815000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe TID: 5056Thread sleep time: -4397000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe TID: 2612Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\SIHClient.exe TID: 5948Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\SysWOW64\netsh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\SysWOW64\netsh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\SysWOW64\netsh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: SIHClient.exe, 00000010.00000003.2295775556.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.2295536340.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000002.2687549306.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.2685760234.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.2293742121.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.2294117374.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.2296194778.0000026001E44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWa^
              Source: N1aqZIb7KG.exe, 00000001.00000002.2132625736.0000000000BC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yLs7
              Source: svchost.exe, 00000008.00000002.4566774931.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.2295775556.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.2295536340.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000002.2687549306.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.2685760234.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.2293742121.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.2294117374.0000026001E44000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000010.00000003.2296194778.0000026001E44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: N1aqZIb7KG.exe, 00000001.00000002.2132625736.0000000000BC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y%s
              Source: netsh.exe, 00000002.00000002.2122124257.0000000003470000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.2133339661.0000000002DB1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000005.00000003.2136693196.0000000003201000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4566746334.000000000087E000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000009.00000003.2151171294.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000000B.00000003.2162104364.0000000003081000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000000C.00000003.2165459121.0000000002F21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: SIHClient.exe, 00000010.00000002.2687549306.0000026001DF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWnt
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeNetwork Connect: 18.197.239.109 13150Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeNetwork Connect: 3.68.171.119 13150Jump to behavior
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" Jump to behavior
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:25:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:26:08 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:14 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:29:12 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:40:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:22:18 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:49 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:38:35 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 17:20:40 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:40 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:18:10 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 21:27:51 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:48 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:19 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:16:13 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:33:54 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:42 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:41 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:00:10 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:17:10 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:47 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 19:00:16 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:14:41 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 21:50:20 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:13 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:18:54 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:49 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:35:09 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:24:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:22:33 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 01:49:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:17:41 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:22:04 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:49:22 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:03:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:13:58 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:46 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:48 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:49 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:17 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:24:04 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:19:58 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:30:50 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 23:21:06 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 22:40:17 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:21 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:17 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:45 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:38 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:59:40 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:07:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:00:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:24:07 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:10 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:14:17 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:58:19 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:20:31 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 13:33:59 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:21:30 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:45 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:23:19 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:27:48 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:19 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:12 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:04:23 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:42 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:30:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:15:15 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:38 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:10 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:39:39 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:47 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:40 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 01:15:31 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:14 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:12:18 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:11:11 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 00:25:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:17 - Program Manager
              Source: N1aqZIb7KG.exe, 00000001.00000002.2133847996.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, N1aqZIb7KG.exe, 00000001.00000002.2133847996.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -GledProgram Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:15:10 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:47 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 12:05:37 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 12:11:25 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:15:29 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:44:29 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:19:11 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:20:03 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:45 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:42:59 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:51:06 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 22:17:47 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:22:07 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:17:17 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:53:19 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:03 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 23:21:03 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 17:43:39 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:11:27 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:51:19 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:41 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:57:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 17:32:30 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 17:38:59 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:19:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:32:35 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:29:46 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Glp~
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:27:45 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:56:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 13:42:16 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:55:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:02 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:40 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 23:07:53 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:45 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:31:50 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:22:20 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:19:54 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:16:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:24:46 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:53 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:41 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:03 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:02 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:58:49 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:18:28 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:49 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:01 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:32:22 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:19 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:22:08 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 15:38:01 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:35 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:33 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:42 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:11:02 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 23:45:23 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:24 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:18:59 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 21:25:50 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:27:16 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:24:17 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:21:48 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:06 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:19 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:22:04 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 12:38:12 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Glp
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:41:26 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:52:57 - Program Manager
              Source: N1aqZIb7KG.exe, 00000001.00000002.2133847996.0000000002CAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Gl\
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:38:20 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:27:42 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 17:27:21 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:50:46 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:16:11 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:34 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:12:30 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:23:31 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:39:35 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:41 - Program Manager
              Source: N1aqZIb7KG.exe, Explower.exe4.1.dr, Explower.exe2.1.dr, Explower.exe1.1.dr, Explower.exe6.1.dr, Explower.exe.1.dr, Explower.exe3.1.dr, Explower.exe7.1.dr, Explower.exe8.1.dr, Explower.exe5.1.dr, svchost.exe.1.dr, Explower.exe0.1.drBinary or memory string: Shell_TrayWnd
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:18:25 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:16 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:16 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:58 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:17:13 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:26:47 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 00:54:28 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:39:53 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:47:45 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:04 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:46 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:25:35 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:03 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:07 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 23:21:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:28 - Program Manager
              Source: svchost.exe, 00000008.00000002.4570696686.00000000051DB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: .mdProgram Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 23:21:07 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:09 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:22 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Gl<
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:22:24 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:01 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:37 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:46 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:05 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:22:34 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 16:06:56 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:33 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 22:53:16 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:13 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:12:45 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:45 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 23:35:57 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:26 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:22:33 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:00 - Program Manager
              Source: N1aqZIb7KG.exe, 00000001.00000002.2133847996.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager\OGl
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 13:52:49 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:28 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:21:17 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:18:23 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:16:26 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:07 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:34 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:46:22 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:01 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:35 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:16:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:37 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:26:13 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:10 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:11 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:27 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:55:06 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:13:21 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 12:08:18 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:37 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 00:12:12 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 14:33:14 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:12 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:59 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 20:13:16 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:56:22 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:29:01 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:26 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:25:09 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:36 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:12:47 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:32:03 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:25:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:19:24 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:24:03 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:58 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:31:01 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:15:57 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:25:54 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:36 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:09:02 - Program Manager
              Source: N1aqZIb7KG.exe, 00000001.00000002.2133847996.0000000002CAC000.00000004.00000800.00020000.00000000.sdmp, N1aqZIb7KG.exe, 00000001.00000002.2133847996.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, N1aqZIb7KG.exe, 00000001.00000002.2137006723.0000000004F7B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 18:10:32 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:19:18 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:32 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:05 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:57:25 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:59:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 16:46:51 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:25 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:59 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:12 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 13:09:08 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 13:56:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:21:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:50:37 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:19:26 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:32 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:40 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:21:23 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:52 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:25:11 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:19:08 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:32 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:49:37 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:04 - Program Manager
              Source: N1aqZIb7KG.exe, 00000001.00000002.2133847996.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, N1aqZIb7KG.exe, 00000001.00000002.2133847996.0000000002C61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerH
              Source: N1aqZIb7KG.exe, 00000001.00000002.2137006723.0000000004F7B000.00000004.00000010.00020000.00000000.sdmp, Explower.exe, 0000000F.00000002.2267862115.0000000004F6B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dProgram Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:30 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:32 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:17:49 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:30 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:09:54 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:22:23 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:15:50 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:58 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:02 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:50 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:22:32 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:44:12 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:07 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:18:56 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 22:46:50 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:02:34 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:16:52 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:57 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:05:11 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:20:53 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:49:13 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 22:22:06 - Program Manager
              Source: N1aqZIb7KG.exe, 00000001.00000002.2133847996.0000000002C93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:26:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:24:14 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:01 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:26:32 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:08 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:10:54 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:48:01 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:20 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:41 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:57 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:19 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:16:33 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:56 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:48 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:18:30 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:06 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 13:48:08 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:52 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:03 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:30:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 15:32:08 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 23:20:57 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:33:17 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:18:17 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:18:04 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:23:09 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 23:39:33 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:28 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:12 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:07 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:41:46 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: | 23:20:57 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 16:03:42 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:07 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:47 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:32:22 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:58 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:47 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:27:39 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 00:32:57 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 20:18:53 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:46:28 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:21:49 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 17:10:57 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:35:29 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:42 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:22:26 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:32:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:37:23 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:03:21 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:15:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:04 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 14:43:28 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 13:03:49 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:25:03 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:30 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:13:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:17:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:24 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:24 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:23 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:19 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:57:56 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:27:14 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:11 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:20 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:25:41 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:11:30 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:45:26 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:25:57 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:38 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:27:07 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:39 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:50:09 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 00:35:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:25:37 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:57 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:53 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:18 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:06 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:33 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:25:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:25:28 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:43:18 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 00:16:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 23:08:47 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 20:39:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:20:16 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:31 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:31 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:51 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:51 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:55:51 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:32:50 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 20:27:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:51 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:15:52 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 01:42:51 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:50 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:23:28 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:10:08 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:15 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:27:24 - Program Manager
              Source: svchost.exe, 00000008.00000002.4566707124.0000000000856000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Rh Program Manager,
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:11:20 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 16:51:32 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:36:12 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:48:48 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 18:26:18 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:22 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:29:39 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:37:11 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:50 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:30:17 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:24:56 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 18:57:27 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:15 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:19:09 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:29:23 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 19:31:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:39 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:52 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:26:54 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:51 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:21 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:43 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:21 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:45 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:53 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:22 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:18:08 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:26:24 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -GledProgram ManagerP
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:15:51 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:27:26 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:27:50 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:52 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 20:07:12 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:14:34 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:30:00 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:18:39 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:24 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:22:17 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:53:36 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Gl`=
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:53 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:46 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:24:21 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:18 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 13:38:07 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:15:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:20:13 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:51:29 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 18:26:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:31:19 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:26:41 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:18:52 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -GledProgram Managerp
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:29:36 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:21:10 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:23:54 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:27:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:37 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:30:47 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:41 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:16:37 - Program Manager
              Source: N1aqZIb7KG.exe, Explower.exe4.1.dr, Explower.exe2.1.dr, Explower.exe1.1.dr, Explower.exe6.1.dr, Explower.exe.1.dr, Explower.exe3.1.dr, Explower.exe7.1.dr, Explower.exe8.1.dr, Explower.exe5.1.dr, svchost.exe.1.dr, Explower.exe0.1.drBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:27:20 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:21:11 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:29:09 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:19:24 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 17:56:46 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:27 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 01:15:41 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:17:52 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:59:04 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:44:07 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:20 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 19:50:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:52:22 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:25 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:25:56 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:35:45 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:21:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:28:55 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:16:29 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 23:21:44 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 04:15:08 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:31:27 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 02:58:09 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:34 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:21:40 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Gl
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003196000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000003156000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/07 | 11:28:21 - Program Manager
              Source: svchost.exe, 00000008.00000002.4568319316.0000000003090000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.4568319316.000000000309C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 23/12/08 | 03:25:21 - Program Manager
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Contains functionality to disable the Task Manager (.Net Source)
              Source: N1aqZIb7KG.exe, Fransesco.cs.Net Code: INS
              Source: Explower.exe.1.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe0.1.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe1.1.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe2.1.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe3.1.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe4.1.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe5.1.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe6.1.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe7.1.dr, Fransesco.cs.Net Code: INS
              Source: Explower.exe8.1.dr, Fransesco.cs.Net Code: INS
              Disables the Windows task manager (taskmgr)
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
              Modifies the windows firewall
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe" "N1aqZIb7KG.exe" ENABLE
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Users\user\Desktop\N1aqZIb7KG.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe" "N1aqZIb7KG.exe" ENABLE

              Stealing of Sensitive Information

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: N1aqZIb7KG.exe, type: SAMPLE
              Source: Yara matchFile source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: N1aqZIb7KG.exe PID: 1880, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5036, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 1616, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected Njrat
              Source: Yara matchFile source: N1aqZIb7KG.exe, type: SAMPLE
              Source: Yara matchFile source: 1.0.N1aqZIb7KG.exe.530000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: N1aqZIb7KG.exe PID: 1880, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5036, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 1616, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
              11
              Replication Through Removable Media              		2
              Windows Management Instrumentation              		12
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		132
              Masquerading              		OS Credential Dumping111
              Security Software Discovery              		11
              Replication Through Removable Media              		1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
              Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts112
              Process Injection              		41
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop Protocol1
              Clipboard Data              		Exfiltration Over Bluetooth1
              Non-Standard Port              		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
              Domain AccountsAtLogon Script (Windows)12
              Registry Run Keys / Startup Folder              		31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
              Non-Application Layer Protocol              		Data Encrypted for ImpactDNS ServerEmail Addresses
              Local AccountsCronLogin HookLogin Hook1
              Access Token Manipulation              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureTraffic Duplication1
              Application Layer Protocol              		Data DestructionVirtual Private ServerEmployee Names
              Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script112
              Process Injection              		LSA Secrets1
              Peripheral Device Discovery              		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
              Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials1
              Remote System Discovery              		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
              External Remote ServicesSystemd TimersStartup ItemsStartup Items1
              File Deletion              		DCSync2
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
              Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem32
              System Information Discovery              		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1355317 Sample: N1aqZIb7KG.exe Startdate: 07/12/2023 Architecture: WINDOWS Score: 100 51 6.tcp.eu.ngrok.io 2->51 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for dropped file 2->71 73 9 other signatures 2->73 9 N1aqZIb7KG.exe 2 29 2->9         started        13 Explower.exe 3 2->13         started        signatures3 process4 file5 43 C:\Windows\SysWOW64xplower.exe, PE32 9->43 dropped 45 C:\Users\user\Favoritesxplower.exe, PE32 9->45 dropped 47 C:\Users\user\Documentsxplower.exe, PE32 9->47 dropped 49 8 other malicious files 9->49 dropped 75 Drops PE files to the document folder of the user 9->75 77 Drops PE files to the startup folder 9->77 79 Uses netsh to modify the Windows network and firewall settings 9->79 81 3 other signatures 9->81 15 svchost.exe 14 9->15         started        19 netsh.exe 2 9->19         started        21 netsh.exe 2 9->21         started        23 2 other processes 9->23 signatures6 process7 dnsIp8 53 18.197.239.109, 13150, 49725, 49726 AMAZON-02US United States 15->53 55 6.tcp.eu.ngrok.io 3.68.171.119, 13150, 49709, 49710 AMAZON-02US United States 15->55 57 52.28.247.255, 13150, 49739, 49740 AMAZON-02US United States 15->57 59 Antivirus detection for dropped file 15->59 61 System process connects to network (likely due to code injection or exploit) 15->61 63 Multi AV Scanner detection for dropped file 15->63 65 2 other signatures 15->65 25 netsh.exe 2 15->25         started        27 netsh.exe 2 15->27         started        29 netsh.exe 2 15->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        signatures9 process10 process11 37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              N1aqZIb7KG.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              N1aqZIb7KG.exe100%AviraTR/Dropper.Gen
              N1aqZIb7KG.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Users\user\AppData\Roaming\Microsoft\svchost.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\Microsoft\svchost.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
              C:\Program Files (x86)\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\AppData\Local\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\AppData\Roaming\Microsoft\svchost.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\Desktop\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\Documents\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\Favorites\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Windows\SysWOW64\Explower.exe84%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://crl.microsofto0%Avira URL Cloudsafe
              http://crl.micros#0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              6.tcp.eu.ngrok.io
              		3.68.171.119
              		truetrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crl.micros#SIHClient.exe, 00000010.00000003.2295775556.0000026001E2B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.microsoftoSIHClient.exe, 00000010.00000002.2688090120.0000026002699000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                52.28.247.255
                		unknownUnited States
                		16509AMAZON-02USfalse
                18.197.239.109
                		unknownUnited States
                		16509AMAZON-02UStrue
                3.68.171.119
                		6.tcp.eu.ngrok.ioUnited States
                		16509AMAZON-02UStrue

                General Information

                Joe Sandbox version:38.0.0 Ammolite
                Analysis ID:1355317
                Start date and time:2023-12-07 11:26:05 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 9m 43s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:N1aqZIb7KG.exe
                renamed because original name is a hash value
                Original Sample Name:5ffc76cfa5ade6017fff6b56c343f718.exe
                Detection:MAL
                Classification:mal100.spre.troj.adwa.evad.winEXE@23/37@6/3
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 97%
                • Number of executed functions: 230
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                • Excluded IPs from analysis (whitelisted): 40.127.169.103, 13.85.23.206, 20.166.126.56
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: N1aqZIb7KG.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                11:26:55API Interceptor1x Sleep call for process: N1aqZIb7KG.exe modified
                11:26:58API Interceptor90057x Sleep call for process: svchost.exe modified
                11:26:59AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
                11:27:13API Interceptor2x Sleep call for process: SIHClient.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                52.28.247.255QsKtlzYaKF.exeGet hashmaliciousNjratBrowse
                  dKe1GfZOs1.exeGet hashmaliciousNjratBrowse
                    X5eo58PPCB.exeGet hashmaliciousNjratBrowse
                      ZuXcnAYgVp.exeGet hashmaliciousNjratBrowse
                        wiUnP1h5Ex.exeGet hashmaliciousNjratBrowse
                          BqFosj9Wcb.exeGet hashmaliciousNjratBrowse
                            d09l64ZAW6.exeGet hashmaliciousNjratBrowse
                              8AKGdJOQ8N.exeGet hashmaliciousNjratBrowse
                                uPMGLG7QnV.exeGet hashmaliciousNjratBrowse
                                  X3vWrCoPG6.exeGet hashmaliciousNjratBrowse
                                    8fZNpRy9pN.exeGet hashmaliciousNjratBrowse
                                      2CVeP16GYU.exeGet hashmaliciousNjratBrowse
                                        QuX5A6qz9G.exeGet hashmaliciousNjratBrowse
                                          TdxWv8SpDq.exeGet hashmaliciousNjratBrowse
                                            OperaSetup.exeGet hashmaliciousQuasarBrowse
                                              HR0Hh3FsOH.exeGet hashmaliciousnjRatBrowse
                                                r0EX1ZWE8C.exeGet hashmaliciousNjratBrowse
                                                  Android_USB_Jailbreaker.exeGet hashmaliciousNjratBrowse
                                                    NNUqIKtjza.exeGet hashmaliciousUnknownBrowse
                                                      CxVNNetrEI.exeGet hashmaliciousNjratBrowse
                                                        18.197.239.109dKe1GfZOs1.exeGet hashmaliciousNjratBrowse
                                                          bRxR.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                            ZuXcnAYgVp.exeGet hashmaliciousNjratBrowse
                                                              d09l64ZAW6.exeGet hashmaliciousNjratBrowse
                                                                8AKGdJOQ8N.exeGet hashmaliciousNjratBrowse
                                                                  uPMGLG7QnV.exeGet hashmaliciousNjratBrowse
                                                                    X3vWrCoPG6.exeGet hashmaliciousNjratBrowse
                                                                      KD9rMPUEBM.exeGet hashmaliciousNjratBrowse
                                                                        8fZNpRy9pN.exeGet hashmaliciousNjratBrowse
                                                                          2CVeP16GYU.exeGet hashmaliciousNjratBrowse
                                                                            64EithtAyN.exeGet hashmaliciousNjratBrowse
                                                                              QuX5A6qz9G.exeGet hashmaliciousNjratBrowse
                                                                                TdxWv8SpDq.exeGet hashmaliciousNjratBrowse
                                                                                  OperaSetup.exeGet hashmaliciousQuasarBrowse
                                                                                    OperaSetup.exeGet hashmaliciousQuasarBrowse
                                                                                      887F546123CD59024356557175BD77FE1144BA5C56D93.exeGet hashmaliciousNjratBrowse
                                                                                        r0EX1ZWE8C.exeGet hashmaliciousNjratBrowse
                                                                                          Android_USB_Jailbreaker.exeGet hashmaliciousNjratBrowse
                                                                                            CxVNNetrEI.exeGet hashmaliciousNjratBrowse
                                                                                              bLtN.exeGet hashmaliciousNjratBrowse

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                6.tcp.eu.ngrok.iom5l9v13hIi.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.66.38.117
                                                                                                QsKtlzYaKF.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.69.157.220
                                                                                                xZLQ8X9Cxo.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.69.157.220
                                                                                                sCXwkZrcZ3.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.68.171.119
                                                                                                dKe1GfZOs1.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.69.157.220
                                                                                                bRxR.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                • 18.197.239.109
                                                                                                X5eo58PPCB.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.69.157.220
                                                                                                ZuXcnAYgVp.exeGet hashmaliciousNjratBrowse
                                                                                                • 52.28.247.255
                                                                                                wiUnP1h5Ex.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.69.115.178
                                                                                                BqFosj9Wcb.exeGet hashmaliciousNjratBrowse
                                                                                                • 52.28.247.255
                                                                                                d09l64ZAW6.exeGet hashmaliciousNjratBrowse
                                                                                                • 52.28.247.255
                                                                                                8AKGdJOQ8N.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.68.171.119
                                                                                                uPMGLG7QnV.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.66.38.117
                                                                                                X3vWrCoPG6.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.68.171.119
                                                                                                7U23YeVgmF.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.69.115.178
                                                                                                KD9rMPUEBM.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.68.171.119
                                                                                                8fZNpRy9pN.exeGet hashmaliciousNjratBrowse
                                                                                                • 52.28.247.255
                                                                                                2CVeP16GYU.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.66.38.117
                                                                                                64EithtAyN.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.68.171.119
                                                                                                QuX5A6qz9G.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.69.115.178

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                AMAZON-02USDdpic6s7I6.elfGet hashmaliciousMiraiBrowse
                                                                                                • 34.249.145.219
                                                                                                https://customer76920g.musvc5.net/e/tr?q=0%3dCb7fCd%26m%3dX%26z%3dX%26p%3dXE%26P%3diQ6Kt_OcxQ_ZM_MRzb_WG_OcxQ_YRNf07MfA18vPuBo-OqQjB9.Kx_OcxQ_YR%269%3dnR5Qdb.z0u%26F5%3dY%26uP%3dDe3ZCWAcCV8m6bAbCd%26i%3d8EV5fI98cFb6bI0e8GA4aodbYmd6fDZ69C8cgqceAr0baIXABG69cIbfApcbeKa9&mupckp=mupAtu4m8OiX0wtGet hashmaliciousUnknownBrowse
                                                                                                • 54.73.69.125
                                                                                                TmZjZ9jzBA.elfGet hashmaliciousMiraiBrowse
                                                                                                • 34.254.182.186
                                                                                                mips.elfGet hashmaliciousMiraiBrowse
                                                                                                • 34.249.145.219
                                                                                                Reserva.xlsGet hashmaliciousRevengeRATBrowse
                                                                                                • 108.156.172.89
                                                                                                psjlubgMG8.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.124.142.205
                                                                                                https://supportelders.co/custom/themes/dsv/amexexpress.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 3.6.161.171
                                                                                                https://2hb97.talxs.ru/491tGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 99.84.108.83
                                                                                                gQyLMWRRx7.exeGet hashmaliciousNjratBrowse
                                                                                                • 18.158.249.75
                                                                                                https://https.file-transfers.ancillarycheese.com/XYmpJek5GVXJOalpuVmpsMlpWZDFjWEZ5TkhZM1RYbDJOakpLY0VWNFZFZzNWM2h2ZW1kR01rZzFTV2xEVDBod1VqY3pOMWhSYUc1RVRFVktja0pEYVVVdlkxQnpNMWh3SzBOMk16aGFWWGhVYVVOMVIwNVFVemRLTlZoTE5WcHFjVXREZVVoQmR6Vm1Ta1J6Y1VsVWVteHlVbGROY2sxMkx6Qk5VRFp3TVc1WU5UaDBTemRXU0V4NGRGbzJWSEpMYjFOMlJraHpiamxxVEM4MlFYazFMM3BZYlhoSE5FWlBSVGxXUmtSSmQxSTRUM2hRTWpOaFRGVlpaRU16TkhCNE9XMXpObTlLU3pBMk5YbDFVVU5vVmpSTmNEWklRVDA5TFMxRWNYVTBZVU5YTDNkdFJtODJRVWxYVjFaT1dIRkJQVDA9LS0yODEzMzI4OTM5YmViMDMzNWFiZmQ1NzVjZmIzYzFiYTdiMmU5MDc5?cid=1824703302Get hashmaliciousUnknownBrowse
                                                                                                • 52.217.118.128
                                                                                                https://lovegemini.co.uk/fc.PDFGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 99.86.229.40
                                                                                                https://runrun.it/share/form/jYulPVdeVffo1EA1Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 52.217.48.84
                                                                                                https://lovegemini.co.uk/fc.PDFGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 99.86.229.16
                                                                                                https://trk.klclick3.com/ls/click?upn=K0nieRRdrSJ-2FFWBTiZhIo3iXKh82ylx9MKlaEFUtlBZaZGkxnTtxLeUBYKLTdzUenM3G9yGXAvj79BuHueoC2DPHnFOwypRcfZOLWqmm0COzw4Wh0exi7NNgBTUSeVap83mphKwBekc4w1r8jRHCkw-3D-3Dv11M_4ZUHUMOrZND9wpJ4r4-2BdnkU1uDKv0Hu0aEK8kv7JA9pmX6mKfxuxw1yLduYNGVp0p7kEeH0T6NsaItmo-2FbQseFCtaMUqLwhSzamWV1A-2Bi9u9YENhza2bFH025xEhFRCzIXB5aSMJh2nt3xk61Mb3tKs4tbWSW0sff1cLfav4Myi0B4R7feMztjEhMY7DdbO0HxWtq5wf7lG8XNlAB-2FgSIa0RcIdNPw-2BstYtrtFNNOUhChEAjj4-2F5tyV-2FQ5hwxyzbITQJG1Yz7wCLAsJRMx8YrJF-2FWJKgZaofhwfR871yMBjo1U-2Bud23GWaAXATA2g-2BDkGet hashmaliciousFake CaptchaBrowse
                                                                                                • 52.85.61.125
                                                                                                https://customer76949g.musvc5.net/e/tr?q=4%3dOYCZRZ%26s%3dR%26B%3dT%26v%3dRQ%26M%3doKHHz_IouW_TY_JXtn_TM_IouW_Sd7zNyLlIGLvE3EvIH9h83.H4%265%3dAMzM1W.u6H%26Az%3dS%26HK%3d9aPU8SXX8YQb8T%266%3dUl2y3hRVbDW15CZU3DRUU864TEXQ5l5y6kZRXiVT30YXaiTP5jV4Uj6y7hVy8l4X3kYW&mupckp=mupAtu4m8OiX0wtGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 52.214.164.36
                                                                                                https://app.vision6.com/em/message/email/view.php?id=10286&a=108385&k=lErs5We1GjgOrSGNrcjlMhohJ-iBOFWoNE1byhl7R0YGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 35.155.47.205
                                                                                                https://customer76920g.musvc5.net/e/tr?q=0%3dCb7fCd%26m%3dX%26z%3dX%26p%3dXE%26P%3diQ6Kt_OcxQ_ZM_MRzb_WG_OcxQ_YRNf07MfA18vPuBo-OqQjB9.Kx_OcxQ_YR%269%3dnR5Qdb.z0u%26F5%3dY%26uP%3dDe3ZCWAcCV8m6bAbCd%26i%3d8EV5fI98cFb6bI0e8GA4aodbYmd6fDZ69C8cgqceAr0baIXABG69cIbfApcbeKa9&mupckp=mupAtu4m8OiX0wtGet hashmaliciousUnknownBrowse
                                                                                                • 54.73.69.125
                                                                                                https://www.agfax.com/2023/12/05/usda-releases-map-showing-areas-approved-for-its-broadband-connection-program/Get hashmaliciousUnknownBrowse
                                                                                                • 52.85.132.2
                                                                                                https://indd.adobe.com/view/c3179703-3c89-45fc-937b-8dade90a5431Get hashmaliciousUnknownBrowse
                                                                                                • 99.86.229.114
                                                                                                https://indd.adobe.com/view/c3179703-3c89-45fc-937b-8dade90a5431Get hashmaliciousUnknownBrowse
                                                                                                • 99.86.229.114
                                                                                                AMAZON-02USDdpic6s7I6.elfGet hashmaliciousMiraiBrowse
                                                                                                • 34.249.145.219
                                                                                                https://customer76920g.musvc5.net/e/tr?q=0%3dCb7fCd%26m%3dX%26z%3dX%26p%3dXE%26P%3diQ6Kt_OcxQ_ZM_MRzb_WG_OcxQ_YRNf07MfA18vPuBo-OqQjB9.Kx_OcxQ_YR%269%3dnR5Qdb.z0u%26F5%3dY%26uP%3dDe3ZCWAcCV8m6bAbCd%26i%3d8EV5fI98cFb6bI0e8GA4aodbYmd6fDZ69C8cgqceAr0baIXABG69cIbfApcbeKa9&mupckp=mupAtu4m8OiX0wtGet hashmaliciousUnknownBrowse
                                                                                                • 54.73.69.125
                                                                                                TmZjZ9jzBA.elfGet hashmaliciousMiraiBrowse
                                                                                                • 34.254.182.186
                                                                                                mips.elfGet hashmaliciousMiraiBrowse
                                                                                                • 34.249.145.219
                                                                                                Reserva.xlsGet hashmaliciousRevengeRATBrowse
                                                                                                • 108.156.172.89
                                                                                                psjlubgMG8.exeGet hashmaliciousNjratBrowse
                                                                                                • 3.124.142.205
                                                                                                https://supportelders.co/custom/themes/dsv/amexexpress.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 3.6.161.171
                                                                                                https://2hb97.talxs.ru/491tGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 99.84.108.83
                                                                                                gQyLMWRRx7.exeGet hashmaliciousNjratBrowse
                                                                                                • 18.158.249.75
                                                                                                https://https.file-transfers.ancillarycheese.com/XYmpJek5GVXJOalpuVmpsMlpWZDFjWEZ5TkhZM1RYbDJOakpLY0VWNFZFZzNWM2h2ZW1kR01rZzFTV2xEVDBod1VqY3pOMWhSYUc1RVRFVktja0pEYVVVdlkxQnpNMWh3SzBOMk16aGFWWGhVYVVOMVIwNVFVemRLTlZoTE5WcHFjVXREZVVoQmR6Vm1Ta1J6Y1VsVWVteHlVbGROY2sxMkx6Qk5VRFp3TVc1WU5UaDBTemRXU0V4NGRGbzJWSEpMYjFOMlJraHpiamxxVEM4MlFYazFMM3BZYlhoSE5FWlBSVGxXUmtSSmQxSTRUM2hRTWpOaFRGVlpaRU16TkhCNE9XMXpObTlLU3pBMk5YbDFVVU5vVmpSTmNEWklRVDA5TFMxRWNYVTBZVU5YTDNkdFJtODJRVWxYVjFaT1dIRkJQVDA9LS0yODEzMzI4OTM5YmViMDMzNWFiZmQ1NzVjZmIzYzFiYTdiMmU5MDc5?cid=1824703302Get hashmaliciousUnknownBrowse
                                                                                                • 52.217.118.128
                                                                                                https://lovegemini.co.uk/fc.PDFGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 99.86.229.40
                                                                                                https://runrun.it/share/form/jYulPVdeVffo1EA1Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 52.217.48.84
                                                                                                https://lovegemini.co.uk/fc.PDFGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 99.86.229.16
                                                                                                https://trk.klclick3.com/ls/click?upn=K0nieRRdrSJ-2FFWBTiZhIo3iXKh82ylx9MKlaEFUtlBZaZGkxnTtxLeUBYKLTdzUenM3G9yGXAvj79BuHueoC2DPHnFOwypRcfZOLWqmm0COzw4Wh0exi7NNgBTUSeVap83mphKwBekc4w1r8jRHCkw-3D-3Dv11M_4ZUHUMOrZND9wpJ4r4-2BdnkU1uDKv0Hu0aEK8kv7JA9pmX6mKfxuxw1yLduYNGVp0p7kEeH0T6NsaItmo-2FbQseFCtaMUqLwhSzamWV1A-2Bi9u9YENhza2bFH025xEhFRCzIXB5aSMJh2nt3xk61Mb3tKs4tbWSW0sff1cLfav4Myi0B4R7feMztjEhMY7DdbO0HxWtq5wf7lG8XNlAB-2FgSIa0RcIdNPw-2BstYtrtFNNOUhChEAjj4-2F5tyV-2FQ5hwxyzbITQJG1Yz7wCLAsJRMx8YrJF-2FWJKgZaofhwfR871yMBjo1U-2Bud23GWaAXATA2g-2BDkGet hashmaliciousFake CaptchaBrowse
                                                                                                • 52.85.61.125
                                                                                                https://customer76949g.musvc5.net/e/tr?q=4%3dOYCZRZ%26s%3dR%26B%3dT%26v%3dRQ%26M%3doKHHz_IouW_TY_JXtn_TM_IouW_Sd7zNyLlIGLvE3EvIH9h83.H4%265%3dAMzM1W.u6H%26Az%3dS%26HK%3d9aPU8SXX8YQb8T%266%3dUl2y3hRVbDW15CZU3DRUU864TEXQ5l5y6kZRXiVT30YXaiTP5jV4Uj6y7hVy8l4X3kYW&mupckp=mupAtu4m8OiX0wtGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 52.214.164.36
                                                                                                https://app.vision6.com/em/message/email/view.php?id=10286&a=108385&k=lErs5We1GjgOrSGNrcjlMhohJ-iBOFWoNE1byhl7R0YGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 35.155.47.205
                                                                                                https://customer76920g.musvc5.net/e/tr?q=0%3dCb7fCd%26m%3dX%26z%3dX%26p%3dXE%26P%3diQ6Kt_OcxQ_ZM_MRzb_WG_OcxQ_YRNf07MfA18vPuBo-OqQjB9.Kx_OcxQ_YR%269%3dnR5Qdb.z0u%26F5%3dY%26uP%3dDe3ZCWAcCV8m6bAbCd%26i%3d8EV5fI98cFb6bI0e8GA4aodbYmd6fDZ69C8cgqceAr0baIXABG69cIbfApcbeKa9&mupckp=mupAtu4m8OiX0wtGet hashmaliciousUnknownBrowse
                                                                                                • 54.73.69.125
                                                                                                https://www.agfax.com/2023/12/05/usda-releases-map-showing-areas-approved-for-its-broadband-connection-program/Get hashmaliciousUnknownBrowse
                                                                                                • 52.85.132.2
                                                                                                https://indd.adobe.com/view/c3179703-3c89-45fc-937b-8dade90a5431Get hashmaliciousUnknownBrowse
                                                                                                • 99.86.229.114
                                                                                                https://indd.adobe.com/view/c3179703-3c89-45fc-937b-8dade90a5431Get hashmaliciousUnknownBrowse
                                                                                                • 99.86.229.114

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Program Files (x86)\Explower.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):95232
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                MD5:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                SHA1:AC5B3889AF5E488C26102B1B886C00AE0B15AEBC
                                                                                                SHA-256:26B9F4E5AEAE4AA95E44A9A9D51D028B30BD6C9F329BBE8B52511C65BA294FB3
                                                                                                SHA-512:9BE0F6DFF2F25493E54A7B26AD405E5AEF0EA3D4EEE8674A02E4C2407CA4F8126DEBD6BE26F3AE193E2B1FC459E667242D2380DD9F9522DDF2D01A378DB4FBA0
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                C:\Program Files (x86)\Explower.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\AppData\Local\Explower.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):95232
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                MD5:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                SHA1:AC5B3889AF5E488C26102B1B886C00AE0B15AEBC
                                                                                                SHA-256:26B9F4E5AEAE4AA95E44A9A9D51D028B30BD6C9F329BBE8B52511C65BA294FB3
                                                                                                SHA-512:9BE0F6DFF2F25493E54A7B26AD405E5AEF0EA3D4EEE8674A02E4C2407CA4F8126DEBD6BE26F3AE193E2B1FC459E667242D2380DD9F9522DDF2D01A378DB4FBA0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                C:\Users\user\AppData\Local\Explower.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explower.exe.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):525
                                                                                                Entropy (8bit):5.259753436570609
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                                MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                                SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                                SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                                SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                                Malicious:false
                                                                                                Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\N1aqZIb7KG.exe.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:modified
                                                                                                Size (bytes):525
                                                                                                Entropy (8bit):5.259753436570609
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                                MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                                SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                                SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                                SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                                Malicious:false
                                                                                                Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):95232
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                MD5:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                SHA1:AC5B3889AF5E488C26102B1B886C00AE0B15AEBC
                                                                                                SHA-256:26B9F4E5AEAE4AA95E44A9A9D51D028B30BD6C9F329BBE8B52511C65BA294FB3
                                                                                                SHA-512:9BE0F6DFF2F25493E54A7B26AD405E5AEF0EA3D4EEE8674A02E4C2407CA4F8126DEBD6BE26F3AE193E2B1FC459E667242D2380DD9F9522DDF2D01A378DB4FBA0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):95232
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                MD5:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                SHA1:AC5B3889AF5E488C26102B1B886C00AE0B15AEBC
                                                                                                SHA-256:26B9F4E5AEAE4AA95E44A9A9D51D028B30BD6C9F329BBE8B52511C65BA294FB3
                                                                                                SHA-512:9BE0F6DFF2F25493E54A7B26AD405E5AEF0EA3D4EEE8674A02E4C2407CA4F8126DEBD6BE26F3AE193E2B1FC459E667242D2380DD9F9522DDF2D01A378DB4FBA0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):95232
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                MD5:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                SHA1:AC5B3889AF5E488C26102B1B886C00AE0B15AEBC
                                                                                                SHA-256:26B9F4E5AEAE4AA95E44A9A9D51D028B30BD6C9F329BBE8B52511C65BA294FB3
                                                                                                SHA-512:9BE0F6DFF2F25493E54A7B26AD405E5AEF0EA3D4EEE8674A02E4C2407CA4F8126DEBD6BE26F3AE193E2B1FC459E667242D2380DD9F9522DDF2D01A378DB4FBA0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\AppData\Local\Temp\melt.txt

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):40
                                                                                                Entropy (8bit):4.411768795973194
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:oNN2+WrUdYdA:oNN2RAKA
                                                                                                MD5:40A507EA9016C2840699ABDD5CAF151C
                                                                                                SHA1:7C2BA0566490934788C7C2F5E03F262BBD5D9CAB
                                                                                                SHA-256:F5841A3371B99786E9590837703850F1141D15B8CC2EE741A02D486A8E13055E
                                                                                                SHA-512:F786F67E0EFB483926E3F3D6AF4823DB577A58756486F659D4B0A0CF9D4630461A222932ED0F9309BBE629B072B04EE4B17E6F3211D2136B6E5CF9AD9103CA35
                                                                                                Malicious:false
                                                                                                Preview:C:\Users\user\Desktop\N1aqZIb7KG.exe

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):95232
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                MD5:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                SHA1:AC5B3889AF5E488C26102B1B886C00AE0B15AEBC
                                                                                                SHA-256:26B9F4E5AEAE4AA95E44A9A9D51D028B30BD6C9F329BBE8B52511C65BA294FB3
                                                                                                SHA-512:9BE0F6DFF2F25493E54A7B26AD405E5AEF0EA3D4EEE8674A02E4C2407CA4F8126DEBD6BE26F3AE193E2B1FC459E667242D2380DD9F9522DDF2D01A378DB4FBA0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\svchost.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):95232
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                MD5:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                SHA1:AC5B3889AF5E488C26102B1B886C00AE0B15AEBC
                                                                                                SHA-256:26B9F4E5AEAE4AA95E44A9A9D51D028B30BD6C9F329BBE8B52511C65BA294FB3
                                                                                                SHA-512:9BE0F6DFF2F25493E54A7B26AD405E5AEF0EA3D4EEE8674A02E4C2407CA4F8126DEBD6BE26F3AE193E2B1FC459E667242D2380DD9F9522DDF2D01A378DB4FBA0
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, Author: unknown
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, Author: Florian Roth
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, Author: ditekSHen
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\svchost.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\AppData\Roaming\app

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):4
                                                                                                Entropy (8bit):2.0
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:X:X
                                                                                                MD5:FBA73CE50D8CFB469EC29A2333B22A85
                                                                                                SHA1:4B7B6DFB36AF4A016301DC065870DD0829DB0A55
                                                                                                SHA-256:56AE4E1144656432194C610E366FB556F7401A9993E75C0007F46397A5DDFA03
                                                                                                SHA-512:B620D99E15C25E970A09738D14B493B2345EC1EB48737E2983565666A3C052D235712DB01A110C9948DC00D62A14FCCCF43CCC295F993D673334DC88497C77C7
                                                                                                Malicious:false
                                                                                                Preview:.7

                                                                                                C:\Users\user\Desktop\Explower.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):95232
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                MD5:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                SHA1:AC5B3889AF5E488C26102B1B886C00AE0B15AEBC
                                                                                                SHA-256:26B9F4E5AEAE4AA95E44A9A9D51D028B30BD6C9F329BBE8B52511C65BA294FB3
                                                                                                SHA-512:9BE0F6DFF2F25493E54A7B26AD405E5AEF0EA3D4EEE8674A02E4C2407CA4F8126DEBD6BE26F3AE193E2B1FC459E667242D2380DD9F9522DDF2D01A378DB4FBA0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                C:\Users\user\Desktop\Explower.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\Documents\Explower.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):95232
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                MD5:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                SHA1:AC5B3889AF5E488C26102B1B886C00AE0B15AEBC
                                                                                                SHA-256:26B9F4E5AEAE4AA95E44A9A9D51D028B30BD6C9F329BBE8B52511C65BA294FB3
                                                                                                SHA-512:9BE0F6DFF2F25493E54A7B26AD405E5AEF0EA3D4EEE8674A02E4C2407CA4F8126DEBD6BE26F3AE193E2B1FC459E667242D2380DD9F9522DDF2D01A378DB4FBA0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                C:\Users\user\Documents\Explower.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\Favorites\Explower.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):95232
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                MD5:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                SHA1:AC5B3889AF5E488C26102B1B886C00AE0B15AEBC
                                                                                                SHA-256:26B9F4E5AEAE4AA95E44A9A9D51D028B30BD6C9F329BBE8B52511C65BA294FB3
                                                                                                SHA-512:9BE0F6DFF2F25493E54A7B26AD405E5AEF0EA3D4EEE8674A02E4C2407CA4F8126DEBD6BE26F3AE193E2B1FC459E667242D2380DD9F9522DDF2D01A378DB4FBA0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                C:\Users\user\Favorites\Explower.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:modified
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Windows\Logs\SIH\SIH.20231207.112711.091.1.etl

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\SIHClient.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):12288
                                                                                                Entropy (8bit):3.172164411143602
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:FpIIj65ZwH1+mwDsrRJxyYJ2Y9IcIkZ4+YcbIQSmlcyELJLIweJphx:Fpw5Zu1TaqJMiBazt+7bx1FELqxJphx
                                                                                                MD5:09BEF03977B00035A3417F69EF409F32
                                                                                                SHA1:0208620B89ACCE1375986B764AC04A3E25A9E684
                                                                                                SHA-256:9743C3552A896DF4A882A80455C49EFCF8C4CBECD12E20F3DFF47E0138DDEB01
                                                                                                SHA-512:8DD1E5E7EA4C640BB0B6F4AF725F83C2250ABC4AEE0A560E4F0FC9DE4B705AC26A7710168C64FDE359AB94CD7451466ED369464173EC8944BF498EDB747E15A2
                                                                                                Malicious:false
                                                                                                Preview:....P...P.......................................P...!...........................d...H...^i......................eJ..........(..Zb....... ..........................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1............................................................FpTW................(..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.3.1.2.0.7...1.1.2.7.1.1...0.9.1...1...e.t.l.......P.P.d...H...^i......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP435F.tmp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\SIHClient.exe
                                                                                                File Type:Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                Category:dropped
                                                                                                Size (bytes):17126
                                                                                                Entropy (8bit):7.3117215578334935
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
                                                                                                MD5:1B6460EE0273E97C251F7A67F49ACDB4
                                                                                                SHA1:4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
                                                                                                SHA-256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
                                                                                                SHA-512:3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
                                                                                                Malicious:false
                                                                                                Preview:MSCF............D................|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM...*......z.;......t.<.o..|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A...*.H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*

                                                                                                C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\SIHClient.exe
                                                                                                File Type:Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                Category:dropped
                                                                                                Size (bytes):24490
                                                                                                Entropy (8bit):7.629144636744632
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
                                                                                                MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
                                                                                                SHA1:93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
                                                                                                SHA-256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
                                                                                                SHA-512:7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
                                                                                                Malicious:false
                                                                                                Preview:MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$*...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y*.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G.*..`-=.w....m..2y.....*o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

                                                                                                C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP506B.tmp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\SIHClient.exe
                                                                                                File Type:Microsoft Cabinet archive data, single, 283 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 18148, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                Category:dropped
                                                                                                Size (bytes):17395
                                                                                                Entropy (8bit):7.297808060361236
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:Y++BFO7SCP3yalzqDHt8Axz5GIqMvus/qnajBMWj6AkKFZYECUqY7S8Zuo1nqnaC:lCksHqzj0l9P6AnCUTZZl9lRo
                                                                                                MD5:E97660B7AB6838D0D96B5C6BB4328753
                                                                                                SHA1:AA104E62A8166E23D89C4769EC382EF345299D28
                                                                                                SHA-256:2BA13EB8A2705B01E54067B2A4FFC17CA2EB376EE3F3BA8D9C5FACE8C5AC1279
                                                                                                SHA-512:E867FE411239AD8EB66342C9522D48DBC9BB872210CD14B4C734661C4966AEC8CF022C510284B70736049E1F98C4EDA18651C7F7A3B7F6E1DEF782F4F89E8FB2
                                                                                                Malicious:false
                                                                                                Preview:MSCF............D................F...............B..........d.......................environment.xml.........CKu.]..0....8.K..:1..]d..A...... .F..9/.G.....hF.U....U.[....{F.D<(...T..h5.....Bz.=.a..6......Y...H..u...UY.......g.E...U...T.SM.%n..w......B.=.e....j.fZ.....YY....0.B...*.H........B.0.B....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". D.!....(....i..#_..cZ...Ei?..ui010...`.H.e....... K.....:U...45%.sH&V.NpH..U.........0...0..........3......9...d.......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...180712201748Z..190808201748Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*.H.............0.........|n.......Y..vx{<.4...*....c[.......8f...4.e.#W................V.8.;.N....9$T..=..O~..c...r..B.f........z.$........"...PM8.Yo..;.u.T\....{T...&J.

                                                                                                C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\SIHClient.exe
                                                                                                File Type:Microsoft Cabinet archive data, single, 8785 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 36571, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                                                                Category:dropped
                                                                                                Size (bytes):25457
                                                                                                Entropy (8bit):7.655665945183416
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:i9eD3oXHzqAAteICxU2L/l/dVCmMMx2GCq3fQkclmIO+WccCuqvXolUjx2:3AhAteHq2L/l/dkMxjCgF+WcmqvS
                                                                                                MD5:9D27F0ECE5019003D4415EB80973B81A
                                                                                                SHA1:39C19D8842C0201FD203F6D1EA79CEBD2E880970
                                                                                                SHA-256:331D51A091FFA84C2959F2A5971EEC6EC976F00B84473E4861D72CBED4C97203
                                                                                                SHA-512:8DF4CBDF4248743F50DFB41B0E6CC94C61227505288B23742EA0E9C86A8FA71D2AA84621D094D867C91BA4B551256E7FDD28ADE5ABA6C23F68CD80A4768922E1
                                                                                                Malicious:false
                                                                                                Preview:MSCF....Q"......D..........................Q".. A..........d........C..............environment.cab...o..!.CCK.Z.8U[.?...)..).s.Jf2.2d.1..R8..Bf...2....Q...)S.JR.P.F...{..~.}.}....g.5...?........1@![?......B...d.l......X...g.^.....@...I......+F......4*T..R...:J...C>.\.x.M$..9j._5#._.D=;....8-%<.JQ....R`D..D.0.2/....B.t........A,=.=..R.T..53.8........K..........>..m';^..#O3..h5|h.U.......HP."[.'Sl.|.c..Y.B....i.....Sx.O..r(d..J.K.)..UM0(.I....Y......0(........C.P....H.F....:.C....G.....x.tC.V..Q$....."...J.l...p..XZ/.E'.pX...^....%i.B....`.O.}=W..~NV...W..!n.1m.C.).FX.!.82.......?..aP..J.<*...R=D.lon......%.7.$....F.|*.......,.R..X{:.].c.\.....J.*.};[.7W[$3..YCLE....p.t..*.y..yXc...^.{..N.......c.j.>....(..B..tdHI@..B.H.QI3.(.H.......>z.n{}.?...A.w..$=..%....0.(0.].IR..)rLcCN.......[./...l...*gB..%..>0.v.p..Y.......o...76...".d..6>i.L...H&......2....q.{..h..WL...C.r..Z..n.L.T..^5..%.o.....u^.G.6...3.L.p......2A.*Im._Z......;.2.}z..2

                                                                                                C:\Windows\SysWOW64\Explower.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):95232
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                MD5:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                SHA1:AC5B3889AF5E488C26102B1B886C00AE0B15AEBC
                                                                                                SHA-256:26B9F4E5AEAE4AA95E44A9A9D51D028B30BD6C9F329BBE8B52511C65BA294FB3
                                                                                                SHA-512:9BE0F6DFF2F25493E54A7B26AD405E5AEF0EA3D4EEE8674A02E4C2407CA4F8126DEBD6BE26F3AE193E2B1FC459E667242D2380DD9F9522DDF2D01A378DB4FBA0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 84%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                C:\Windows\SysWOW64\Explower.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                \Device\ConDrv

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):313
                                                                                                Entropy (8bit):4.971939296804078
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                                                                                MD5:689E2126A85BF55121488295EE068FA1
                                                                                                SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                                                                                SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                                                                                SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                                                                                Malicious:false
                                                                                                Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Entropy (8bit):5.558759879113321
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                File name:N1aqZIb7KG.exe
                                                                                                File size:95'232 bytes
                                                                                                MD5:5ffc76cfa5ade6017fff6b56c343f718
                                                                                                SHA1:ac5b3889af5e488c26102b1b886c00ae0b15aebc
                                                                                                SHA256:26b9f4e5aeae4aa95e44a9a9d51d028b30bd6c9f329bbe8b52511c65ba294fb3
                                                                                                SHA512:9be0f6dff2f25493e54a7b26ad405e5aef0ea3d4eee8674a02e4c2407ca4f8126debd6be26f3ae193e2b1fc459e667242d2380dd9f9522ddf2d01a378db4fba0
                                                                                                SSDEEP:768:DY3r+tD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3jsGP:m+nOx6baIa9RIj00ljEwzGi1dDPDTgS
                                                                                                TLSH:D293F84977E56524E4BF56F79871F2004E34B48B1602E39D48F219AA1B33AC44F89FEB
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....je.................p............... ........@.. ....................................@................................

                                                                                                File Icon

                                                                                                Icon Hash:00928e8e8686b000

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x418efe
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x656AFFFA [Sat Dec 2 09:59:22 2023 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:4
                                                                                                OS Version Minor:0
                                                                                                File Version Major:4
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:4
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                jmp dword ptr [00402000h]
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x18ea80x53.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x20000x16f040x17000False0.36799422554347827data5.59057945627049IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .reloc0x1a0000xc0x200False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                Imports

                                                                                                DLLImport
                                                                                                mscoree.dll_CorExeMain

                                                                                                Network Behavior

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Dec 7, 2023 11:27:02.760207891 CET4970913150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:03.000874996 CET13150497093.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:03.514019012 CET4970913150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:03.755883932 CET13150497093.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:04.263963938 CET4970913150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:04.504713058 CET13150497093.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:05.013861895 CET4970913150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:05.254458904 CET13150497093.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:05.763890982 CET4970913150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:06.004561901 CET13150497093.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:08.016773939 CET4971013150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:08.258879900 CET13150497103.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:08.763858080 CET4971013150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:09.007359028 CET13150497103.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:09.513842106 CET4971013150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:09.755705118 CET13150497103.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:10.263926983 CET4971013150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:10.506056070 CET13150497103.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:11.013844013 CET4971013150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:11.255867958 CET13150497103.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:13.265074015 CET4971213150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:13.506850958 CET13150497123.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:14.060777903 CET4971213150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:14.303186893 CET13150497123.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:14.966985941 CET4971213150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:15.209094048 CET13150497123.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:15.857625008 CET4971213150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:16.099520922 CET13150497123.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:16.670126915 CET4971213150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:16.912362099 CET13150497123.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:18.921901941 CET4971613150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:19.162403107 CET13150497163.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:19.670104027 CET4971613150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:19.910893917 CET13150497163.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:20.420144081 CET4971613150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:20.660815954 CET13150497163.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:21.170145988 CET4971613150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:21.410661936 CET13150497163.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:21.920099974 CET4971613150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:22.160636902 CET13150497163.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:24.172663927 CET4971713150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:24.412286997 CET13150497173.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:24.967077971 CET4971713150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:25.206934929 CET13150497173.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:25.717029095 CET4971713150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:25.956955910 CET13150497173.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:26.466995955 CET4971713150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:26.706645966 CET13150497173.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:27.217032909 CET4971713150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:27.457679987 CET13150497173.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:30.708045006 CET4971813150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:30.949693918 CET13150497183.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:31.514029980 CET4971813150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:31.755779028 CET13150497183.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:32.326395035 CET4971813150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:32.601434946 CET13150497183.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:33.217045069 CET4971813150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:33.458825111 CET13150497183.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:33.967102051 CET4971813150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:34.208681107 CET13150497183.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:36.218878031 CET4971913150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:36.464660883 CET13150497193.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:37.123272896 CET4971913150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:37.365746975 CET13150497193.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:37.935781956 CET4971913150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:38.178230047 CET13150497193.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:38.692079067 CET4971913150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:38.934611082 CET13150497193.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:39.529818058 CET4971913150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:39.772259951 CET13150497193.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:41.782221079 CET4972013150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:42.022597075 CET13150497203.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:42.529712915 CET4972013150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:42.769784927 CET13150497203.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:43.435796022 CET4972013150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:43.679711103 CET13150497203.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:44.232578993 CET4972013150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:44.472656012 CET13150497203.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:45.123224020 CET4972013150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:45.363274097 CET13150497203.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:48.031869888 CET4972113150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:48.273435116 CET13150497213.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:48.779472113 CET4972113150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:49.022285938 CET13150497213.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:49.529473066 CET4972113150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:49.771445990 CET13150497213.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:50.279454947 CET4972113150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:50.521564960 CET13150497213.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:51.029545069 CET4972113150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:51.271892071 CET13150497213.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:53.281203032 CET4972313150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:53.523261070 CET13150497233.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:54.029788017 CET4972313150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:54.271375895 CET13150497233.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:54.779506922 CET4972313150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:55.020881891 CET13150497233.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:55.529616117 CET4972313150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:55.783509970 CET13150497233.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:56.295104027 CET4972313150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:56.536765099 CET13150497233.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:58.547373056 CET4972413150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:58.787717104 CET13150497243.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:27:59.295087099 CET4972413150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:27:59.535813093 CET13150497243.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:28:00.045089006 CET4972413150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:28:00.292109013 CET13150497243.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:28:00.795181990 CET4972413150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:28:01.035677910 CET13150497243.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:28:01.545064926 CET4972413150192.168.2.63.68.171.119
                                                                                                Dec 7, 2023 11:28:01.786005020 CET13150497243.68.171.119192.168.2.6
                                                                                                Dec 7, 2023 11:28:05.189749956 CET4972513150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:06.192862988 CET4972513150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:08.201356888 CET4972513150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:08.443736076 CET131504972518.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:08.951419115 CET4972513150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:09.192461014 CET131504972518.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:09.701405048 CET4972513150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:09.946063042 CET131504972518.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:11.953439951 CET4972613150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:12.221470118 CET131504972618.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:12.888940096 CET4972613150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:13.129435062 CET131504972618.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:13.701360941 CET4972613150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:13.953275919 CET131504972618.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:14.498199940 CET4972613150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:22.498218060 CET4972613150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:22.739077091 CET131504972618.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:24.750402927 CET4972813150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:24.992784023 CET131504972818.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:25.498179913 CET4972813150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:25.740761995 CET131504972818.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:26.388803005 CET4972813150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:30.388808012 CET4972813150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:38.498214960 CET4972813150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:38.741029024 CET131504972818.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:40.781356096 CET4972913150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:41.022908926 CET131504972918.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:41.623265028 CET4972913150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:41.878560066 CET131504972918.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:42.513792038 CET4972913150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:42.755429029 CET131504972918.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:43.310664892 CET4972913150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:51.310657024 CET4972913150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:51.552495956 CET131504972918.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:53.562151909 CET4973013150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:53.841615915 CET131504973018.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:54.498224020 CET4973013150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:54.740861893 CET131504973018.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:55.388780117 CET4973013150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:55.635453939 CET131504973018.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:56.201291084 CET4973013150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:56.446083069 CET131504973018.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:56.998189926 CET4973013150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:28:57.240093946 CET131504973018.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:28:59.252034903 CET4973113150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:00.326291084 CET4973113150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:00.566843987 CET131504973118.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:01.123162031 CET4973113150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:01.369000912 CET131504973118.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:01.920037031 CET4973113150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:09.920085907 CET4973113150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:10.160228014 CET131504973118.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:13.294770002 CET4973213150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:13.544378042 CET131504973218.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:14.123123884 CET4973213150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:14.387597084 CET131504973218.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:14.919986963 CET4973213150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:15.163816929 CET131504973218.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:15.810652018 CET4973213150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:16.052262068 CET131504973218.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:16.623125076 CET4973213150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:24.379081964 CET4973313150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:24.621432066 CET131504973318.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:25.201186895 CET4973313150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:25.443959951 CET131504973318.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:25.998051882 CET4973313150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:26.252902031 CET131504973318.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:26.888672113 CET4973313150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:27.130868912 CET131504973318.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:27.701194048 CET4973313150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:27.943447113 CET131504973318.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:29.577816963 CET4973413150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:29.818592072 CET131504973418.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:30.326154947 CET4973413150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:30.566960096 CET131504973418.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:31.123051882 CET4973413150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:35.123002052 CET4973413150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:35.368854046 CET131504973418.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:35.999453068 CET4973413150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:36.244839907 CET131504973418.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:37.765369892 CET4973513150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:38.033879995 CET131504973518.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:38.701122046 CET4973513150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:38.947865009 CET131504973518.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:39.503825903 CET4973513150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:39.744777918 CET131504973518.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:40.388591051 CET4973513150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:48.389071941 CET4973513150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:48.630974054 CET131504973518.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:50.062503099 CET4973613150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:50.303009987 CET131504973618.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:50.888636112 CET4973613150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:51.134473085 CET131504973618.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:51.701035976 CET4973613150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:51.947658062 CET131504973618.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:52.497931004 CET4973613150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:52.753674030 CET131504973618.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:53.388623953 CET4973613150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:53.629429102 CET131504973618.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:54.968553066 CET4973713150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:55.209954023 CET131504973718.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:55.810399055 CET4973713150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:56.051841021 CET131504973718.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:56.622889042 CET4973713150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:29:56.864370108 CET131504973718.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:29:57.513546944 CET4973713150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:30:05.513447046 CET4973713150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:30:05.757586002 CET131504973718.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:30:07.004203081 CET4973813150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:30:07.244782925 CET131504973818.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:30:07.888648987 CET4973813150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:30:08.129292965 CET131504973818.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:30:08.700931072 CET4973813150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:30:12.700912952 CET4973813150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:30:12.943240881 CET131504973818.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:30:13.497781038 CET4973813150192.168.2.618.197.239.109
                                                                                                Dec 7, 2023 11:30:13.739084005 CET131504973818.197.239.109192.168.2.6
                                                                                                Dec 7, 2023 11:30:16.070504904 CET4973913150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:16.316828966 CET131504973952.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:16.919661045 CET4973913150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:17.162237883 CET131504973952.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:17.825895071 CET4973913150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:18.071270943 CET131504973952.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:18.622750998 CET4973913150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:18.874967098 CET131504973952.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:19.513375044 CET4973913150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:19.753776073 CET131504973952.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:20.842950106 CET4974013150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:21.094991922 CET131504974052.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:21.622821093 CET4974013150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:21.865662098 CET131504974052.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:22.513370991 CET4974013150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:22.756567955 CET131504974052.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:23.325870991 CET4974013150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:23.568541050 CET131504974052.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:24.122739077 CET4974013150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:24.367062092 CET131504974052.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:25.374149084 CET4974113150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:25.615274906 CET131504974152.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:26.294598103 CET4974113150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:26.535794973 CET131504974152.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:27.200839996 CET4974113150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:27.450433016 CET131504974152.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:27.997723103 CET4974113150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:28.238749027 CET131504974152.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:28.888324022 CET4974113150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:29.129796028 CET131504974152.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:30.077389002 CET4974213150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:30.319031954 CET131504974252.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:30.919605970 CET4974213150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:33.013330936 CET4974213150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:33.255265951 CET131504974252.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:33.810199976 CET4974213150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:41.810197115 CET4974213150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:42.051739931 CET131504974252.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:42.936562061 CET4974313150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:43.178148985 CET131504974352.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:43.700774908 CET4974313150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:43.942635059 CET131504974352.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:44.497618914 CET4974313150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:44.747111082 CET131504974352.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:45.294555902 CET4974313150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:45.535399914 CET131504974352.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:46.200947046 CET4974313150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:46.442183018 CET131504974352.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:47.264416933 CET4974413150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:47.514760017 CET131504974452.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:48.202721119 CET4974413150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:48.443877935 CET131504974452.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:48.997592926 CET4974413150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:49.238482952 CET131504974452.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:49.888221025 CET4974413150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:50.129312992 CET131504974452.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:50.700709105 CET4974413150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:57.467681885 CET4974513150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:57.724822998 CET131504974552.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:58.325764894 CET4974513150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:58.583530903 CET131504974552.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:30:59.122544050 CET4974513150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:30:59.372606039 CET131504974552.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:31:00.013171911 CET4974513150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:31:00.257734060 CET131504974552.28.247.255192.168.2.6
                                                                                                Dec 7, 2023 11:31:00.810049057 CET4974513150192.168.2.652.28.247.255
                                                                                                Dec 7, 2023 11:31:01.066489935 CET131504974552.28.247.255192.168.2.6

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Dec 7, 2023 11:27:02.614701033 CET6222353192.168.2.61.1.1.1
                                                                                                Dec 7, 2023 11:27:02.757133961 CET53622231.1.1.1192.168.2.6
                                                                                                Dec 7, 2023 11:28:04.015047073 CET5763453192.168.2.61.1.1.1
                                                                                                Dec 7, 2023 11:28:05.014174938 CET5763453192.168.2.61.1.1.1
                                                                                                Dec 7, 2023 11:28:05.188325882 CET53576341.1.1.1192.168.2.6
                                                                                                Dec 7, 2023 11:29:12.139884949 CET5435053192.168.2.61.1.1.1
                                                                                                Dec 7, 2023 11:29:13.139583111 CET5435053192.168.2.61.1.1.1
                                                                                                Dec 7, 2023 11:29:13.291721106 CET53543501.1.1.1192.168.2.6
                                                                                                Dec 7, 2023 11:30:15.237263918 CET5843453192.168.2.61.1.1.1
                                                                                                Dec 7, 2023 11:30:15.409115076 CET53584341.1.1.1192.168.2.6

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Dec 7, 2023 11:27:02.614701033 CET192.168.2.61.1.1.10xeea7Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                Dec 7, 2023 11:28:04.015047073 CET192.168.2.61.1.1.10xa643Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                Dec 7, 2023 11:28:05.014174938 CET192.168.2.61.1.1.10xa643Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                Dec 7, 2023 11:29:12.139884949 CET192.168.2.61.1.1.10xa465Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                Dec 7, 2023 11:29:13.139583111 CET192.168.2.61.1.1.10xa465Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                Dec 7, 2023 11:30:15.237263918 CET192.168.2.61.1.1.10xd8a1Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Dec 7, 2023 11:27:02.757133961 CET1.1.1.1192.168.2.60xeea7No error (0)6.tcp.eu.ngrok.io3.68.171.119A (IP address)IN (0x0001)false
                                                                                                Dec 7, 2023 11:28:05.188325882 CET1.1.1.1192.168.2.60xa643No error (0)6.tcp.eu.ngrok.io18.197.239.109A (IP address)IN (0x0001)false
                                                                                                Dec 7, 2023 11:29:13.291721106 CET1.1.1.1192.168.2.60xa465No error (0)6.tcp.eu.ngrok.io18.197.239.109A (IP address)IN (0x0001)false
                                                                                                Dec 7, 2023 11:30:15.409115076 CET1.1.1.1192.168.2.60xd8a1No error (0)6.tcp.eu.ngrok.io52.28.247.255A (IP address)IN (0x0001)false

                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:11:26:53
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Users\user\Desktop\N1aqZIb7KG.exe
                                                                                                Imagebase:0x530000
                                                                                                File size:95'232 bytes
                                                                                                MD5 hash:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000000.2101338617.0000000000532000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:11:26:55
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe" "N1aqZIb7KG.exe" ENABLE
                                                                                                Imagebase:0xa60000
                                                                                                File size:82'432 bytes
                                                                                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:11:26:55
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff66e660000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:4
                                                                                                Start time:11:26:56
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:netsh firewall delete allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe"
                                                                                                Imagebase:0xa60000
                                                                                                File size:82'432 bytes
                                                                                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:5
                                                                                                Start time:11:26:56
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\N1aqZIb7KG.exe" "N1aqZIb7KG.exe" ENABLE
                                                                                                Imagebase:0xa60000
                                                                                                File size:82'432 bytes
                                                                                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:6
                                                                                                Start time:11:26:56
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff66e660000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:7
                                                                                                Start time:11:26:56
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff66e660000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:8
                                                                                                Start time:11:26:56
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\svchost.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                Imagebase:0x30000
                                                                                                File size:95'232 bytes
                                                                                                MD5 hash:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000002.4568319316.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, Author: unknown
                                                                                                • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, Author: Florian Roth
                                                                                                • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\svchost.exe, Author: ditekSHen
                                                                                                Antivirus matches:
                                                                                                • Detection: 100%, Avira
                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                • Detection: 84%, ReversingLabs
                                                                                                Reputation:low
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:9
                                                                                                Start time:11:26:58
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
                                                                                                Imagebase:0xa60000
                                                                                                File size:82'432 bytes
                                                                                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:10
                                                                                                Start time:11:26:58
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff66e660000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:11
                                                                                                Start time:11:26:59
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:netsh firewall delete allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe"
                                                                                                Imagebase:0xa60000
                                                                                                File size:82'432 bytes
                                                                                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:12
                                                                                                Start time:11:26:59
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
                                                                                                Imagebase:0xa60000
                                                                                                File size:82'432 bytes
                                                                                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:13
                                                                                                Start time:11:26:59
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff66e660000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:14
                                                                                                Start time:11:26:59
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff66e660000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:15
                                                                                                Start time:11:27:08
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
                                                                                                Imagebase:0x590000
                                                                                                File size:95'232 bytes
                                                                                                MD5 hash:5FFC76CFA5ADE6017FFF6B56C343F718
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Antivirus matches:
                                                                                                • Detection: 84%, ReversingLabs
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:16
                                                                                                Start time:11:27:11
                                                                                                Start date:07/12/2023
                                                                                                Path:C:\Windows\System32\SIHClient.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\sihclient.exe /cv 9rGOcCJ3NE2Fxvl5hzRMzQ.0.2
                                                                                                Imagebase:0x7ff726e80000
                                                                                                File size:380'720 bytes
                                                                                                MD5 hash:8BE47315BF30475EEECE8E39599E9273
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:26.6%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:11.7%
                                                                                                  Total number of Nodes:111
                                                                                                  Total number of Limit Nodes:6
                                                                                                  execution_graph 3234 b0bcb0 3235 b0bcd0 LookupPrivilegeValueW 3234->3235 3237 b0bd46 3235->3237 3298 b0a573 3299 b0a59a DuplicateHandle 3298->3299 3301 b0a5e6 3299->3301 3238 b0b7b5 3240 b0b7e2 CopyFileW 3238->3240 3241 b0b832 3240->3241 3302 b0aa75 3303 b0aaa6 CreateFileW 3302->3303 3305 b0ab2d 3303->3305 3151 b0be76 3152 b0bea5 AdjustTokenPrivileges 3151->3152 3154 b0bec7 3152->3154 3274 b0b036 3275 b0b06a CreateMutexW 3274->3275 3277 b0b0e5 3275->3277 3155 55902de 3157 5590304 ShellExecuteExW 3155->3157 3158 5590320 3157->3158 3278 b0ac37 3279 b0ac6a GetFileType 3278->3279 3281 b0accc 3279->3281 3306 b0ae77 3307 b0aeae WriteFile 3306->3307 3309 b0af15 3307->3309 3159 b0b73a 3160 b0b769 WaitForInputIdle 3159->3160 3162 b0b79f 3159->3162 3161 b0b777 3160->3161 3162->3160 3310 b0ab7c 3311 b0abbe FindCloseChangeNotification 3310->3311 3313 b0abf8 3311->3313 3163 b0abbe 3164 b0ac29 3163->3164 3165 b0abea FindCloseChangeNotification 3163->3165 3164->3165 3166 b0abf8 3165->3166 3242 b0a9bf 3243 b0a9c9 SetErrorMode 3242->3243 3245 b0aa53 3243->3245 3282 b0be3f 3285 b0be49 AdjustTokenPrivileges 3282->3285 3284 b0bec7 3285->3284 3167 b0b7e2 3169 b0b80b CopyFileW 3167->3169 3170 b0b832 3169->3170 3171 b0aaa6 3174 b0aade CreateFileW 3171->3174 3173 b0ab2d 3174->3173 3250 b0b1e6 3251 b0b1ea RegOpenKeyExW 3250->3251 3253 b0b2a0 3251->3253 3175 b0b8aa 3176 b0b8d0 DeleteFileW 3175->3176 3178 b0b8ec 3176->3178 3183 b0b06a 3185 b0b0a2 CreateMutexW 3183->3185 3186 b0b0e5 3185->3186 3254 b0b3ea 3255 b0b40e RegSetValueExW 3254->3255 3257 b0b48f 3255->3257 3286 b0b92b 3287 b0b95e RegCreateKeyExW 3286->3287 3289 b0ba08 3287->3289 3187 b0aeae 3189 b0aee3 WriteFile 3187->3189 3190 b0af15 3189->3190 3258 5590006 3260 5590032 K32EnumProcesses 3258->3260 3261 559007a 3260->3261 3198 b0aa12 3199 b0aa67 3198->3199 3200 b0aa3e SetErrorMode 3198->3200 3199->3200 3201 b0aa53 3200->3201 3314 55900bb 3316 55900cd NtQuerySystemInformation 3314->3316 3317 5590140 3316->3317 3318 55902bc 3319 55902de ShellExecuteExW 3318->3319 3321 5590320 3319->3321 3290 b0b718 3291 b0b73a WaitForInputIdle 3290->3291 3293 b0b777 3291->3293 3262 b0b2d9 3263 b0b31a RegQueryValueExW 3262->3263 3265 b0b3a3 3263->3265 3202 b0a59a 3203 b0a5d8 DuplicateHandle 3202->3203 3205 b0a610 3202->3205 3204 b0a5e6 3203->3204 3205->3203 3214 b0a65e 3215 b0a6c0 3214->3215 3216 b0a68a OleInitialize 3214->3216 3215->3216 3217 b0a698 3216->3217 3294 b0a61e 3295 b0a65e OleInitialize 3294->3295 3297 b0a698 3295->3297 3222 55900f6 3223 559012b NtQuerySystemInformation 3222->3223 3224 5590156 3222->3224 3225 5590140 3223->3225 3224->3223 3246 b0b885 3248 b0b8aa DeleteFileW 3246->3248 3249 b0b8ec 3248->3249 3266 b0b4c8 3268 b0b4f6 SendMessageTimeoutA 3266->3268 3269 b0b579 3268->3269 3270 b0a6ce 3271 b0a72e OleGetClipboard 3270->3271 3273 b0a78c 3271->3273

                                                                                                  Executed Functions

                                                                                                  Function 00F64298 Relevance: 13.2, Strings: 9, Instructions: 1950COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l$:@ l$:@ l$:@ l$:@ l$@$\OGl$2Gl
                                                                                                  • API String ID: 0-3909392376
                                                                                                  • Opcode ID: bd1855688619bc3d94f4d64a466e7ba38476e6903a0203e4860715948bace293
                                                                                                  • Instruction ID: 9d2938b8a3d6c1f2e7a74a4ce84923b93483e1817ebc5d21b9c75003af13bfbc
                                                                                                  • Opcode Fuzzy Hash: bd1855688619bc3d94f4d64a466e7ba38476e6903a0203e4860715948bace293
                                                                                                  • Instruction Fuzzy Hash: 68235874A05228CFDB24EF65D894BE9B7B2FB48308F0040E9D949A77A4DB319E85CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F64287 Relevance: 13.0, Strings: 9, Instructions: 1748COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $:@ l$:@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-3866679809
                                                                                                  • Opcode ID: 0760a61aaeb0fe65c9cc198115647797cc070c5e33fa266a9b3486eaede1a095
                                                                                                  • Instruction ID: e138d5050471687448a631499eeebd0700ccee5d48d151828d2feecc7d29af63
                                                                                                  • Opcode Fuzzy Hash: 0760a61aaeb0fe65c9cc198115647797cc070c5e33fa266a9b3486eaede1a095
                                                                                                  • Instruction Fuzzy Hash: 36135874A05228CFDB24EF21D894BE9B7B2FB48308F0041E9D949A77A5DB319E85CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0BE3F Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00B0BEBF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AdjustPrivilegesToken
                                                                                                  • String ID:
                                                                                                  • API String ID: 2874748243-0
                                                                                                  • Opcode ID: c6e92902b0d7a7f81c9b0b9f536f4b84d75aa4394dbc829e0c00fea7e74aad17
                                                                                                  • Instruction ID: 722ff9539e5acaddf74e7e61873bcbd648a2efb567f0d51c1b211d3c6f275ed3
                                                                                                  • Opcode Fuzzy Hash: c6e92902b0d7a7f81c9b0b9f536f4b84d75aa4394dbc829e0c00fea7e74aad17
                                                                                                  • Instruction Fuzzy Hash: DE21AD75509380AFDB128F25DC44B92BFF4EF06310F0885DAE9858B5A3D371A908DB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 055900BB Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtQuerySystemInformation.NTDLL ref: 05590131
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2137580885.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_5590000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InformationQuerySystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 3562636166-0
                                                                                                  • Opcode ID: 1a6cfd85a99909c055ede365724c9560aeb5b6477068428e72ce4af50471ad26
                                                                                                  • Instruction ID: 7e3e87ad23822470a58c98f9c31386d5874b92ced94f609f8fb4dc0c2d9fd99f
                                                                                                  • Opcode Fuzzy Hash: 1a6cfd85a99909c055ede365724c9560aeb5b6477068428e72ce4af50471ad26
                                                                                                  • Instruction Fuzzy Hash: D421AE754097C0AFDB238B20DC45A62FFB4FF07314F0984CBE9848B1A3D265A909DB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0BE76 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00B0BEBF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AdjustPrivilegesToken
                                                                                                  • String ID:
                                                                                                  • API String ID: 2874748243-0
                                                                                                  • Opcode ID: 562015670a19478823540bc657fbc0cd04334dca8e19b6c47a949c856bc59ef5
                                                                                                  • Instruction ID: 32f532cf17a5af773fbbe150ce160b32fd17e91211165f8670c1f71638664492
                                                                                                  • Opcode Fuzzy Hash: 562015670a19478823540bc657fbc0cd04334dca8e19b6c47a949c856bc59ef5
                                                                                                  • Instruction Fuzzy Hash: D5115E755002449FDB20CF55DC84FA6FBE4EF04320F0888AAEE498B662D371E819DF61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 055900F6 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtQuerySystemInformation.NTDLL ref: 05590131
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2137580885.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_5590000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InformationQuerySystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 3562636166-0
                                                                                                  • Opcode ID: 622535b790814d625fa15472cb5f5a5c17d845c6a27fa1e918d1ecef2bf03f00
                                                                                                  • Instruction ID: 426b84b04776dd6dd44cc6e84da88d39711cd0b5379fb1a0dbd9f089067361fe
                                                                                                  • Opcode Fuzzy Hash: 622535b790814d625fa15472cb5f5a5c17d845c6a27fa1e918d1ecef2bf03f00
                                                                                                  • Instruction Fuzzy Hash: 360178314002409FDB208F45DC88B62FBA1FF08620F08889ADD490B6A2D379A418DBA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F600B8 Relevance: 5.1, Strings: 4, Instructions: 93COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1115 f600b8-f600cd 1142 f600d0 call 1070606 1115->1142 1143 f600d0 call 10705e0 1115->1143 1144 f600d0 call b0a23a 1115->1144 1145 f600d0 call b0a20c 1115->1145 1117 f600d5-f600f7 1120 f6010b-f601d5 1117->1120 1121 f600f9-f6010a 1117->1121 1137 f601d5 call 1070606 1120->1137 1138 f601d5 call 10705e0 1120->1138 1139 f601d5 call f63801 1120->1139 1140 f601d5 call f639bf 1120->1140 1141 f601d5 call f63b18 1120->1141 1136 f601db-f601de 1137->1136 1138->1136 1139->1136 1140->1136 1141->1136 1142->1117 1143->1117 1144->1117 1145->1117
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl$2Gl$5](l^$E](l^
                                                                                                  • API String ID: 0-1374819370
                                                                                                  • Opcode ID: a2395a986579bfa59e1e402730238bd0be116d6049917ccc05036cbd002b4800
                                                                                                  • Instruction ID: 6994426cffd90b29f526a77ecceec867d7ca12d7beef79ccd45ea6d4715700ae
                                                                                                  • Opcode Fuzzy Hash: a2395a986579bfa59e1e402730238bd0be116d6049917ccc05036cbd002b4800
                                                                                                  • Instruction Fuzzy Hash: 4131E531B083409FC705EB759C52FAE7BA79BC6608B4484AAD041CF796DF758C09C7A2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F60118 Relevance: 5.1, Strings: 4, Instructions: 56COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1146 f60118-f60169 1151 f60174-f6017a 1146->1151 1152 f60181-f601bd 1151->1152 1157 f601c8-f601d5 1152->1157 1160 f601d5 call 1070606 1157->1160 1161 f601d5 call 10705e0 1157->1161 1162 f601d5 call f63801 1157->1162 1163 f601d5 call f639bf 1157->1163 1164 f601d5 call f63b18 1157->1164 1159 f601db-f601de 1160->1159 1161->1159 1162->1159 1163->1159 1164->1159
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl$2Gl$5](l^$E](l^
                                                                                                  • API String ID: 0-1374819370
                                                                                                  • Opcode ID: d51292e1024a929cae2f5401f0948a49b597aba1511be7fd0c0cf051356d7267
                                                                                                  • Instruction ID: e3a1e3f24ce4dc1062763adc40201cf2850d85dce95597d836daa4ac1bca65c4
                                                                                                  • Opcode Fuzzy Hash: d51292e1024a929cae2f5401f0948a49b597aba1511be7fd0c0cf051356d7267
                                                                                                  • Instruction Fuzzy Hash: 4011A030B082404FC305E7759851FE97BA75BC620834884AED081CFB96DF758D0987A3
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F63801 Relevance: 3.0, Strings: 2, Instructions: 499COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1165 f63801-f63911 1182 f63917-f63919 1165->1182 1183 f63913 1165->1183 1186 f63920-f63927 1182->1186 1184 f63915 1183->1184 1185 f6391b 1183->1185 1184->1182 1185->1186 1187 f639bd-f63adf 1186->1187 1188 f6392d-f639b2 1186->1188 1212 f63ae1-f63b51 1187->1212 1213 f63b5b-f63bae 1187->1213 1188->1187 1212->1213 1220 f63bb5 1213->1220 1221 f63bb0 1213->1221 1301 f63bb5 call f64287 1220->1301 1302 f63bb5 call 1070606 1220->1302 1303 f63bb5 call 10705e0 1220->1303 1304 f63bb5 call f64298 1220->1304 1221->1220 1223 f63bbb-f63bcf 1224 f63c06-f63cbb 1223->1224 1225 f63bd1-f63bfb 1223->1225 1236 f63d43 1224->1236 1237 f63cc1-f63cff 1224->1237 1225->1224 1238 f641dd-f641e8 1236->1238 1237->1236 1240 f641ee-f641f5 1238->1240 1241 f63d48-f63d66 1238->1241 1244 f63d71-f63d7c 1241->1244 1245 f63d68-f63d6e 1241->1245 1248 f63d82-f63d96 1244->1248 1249 f64193-f641db 1244->1249 1245->1244 1251 f63e0e-f63e1f 1248->1251 1252 f63d98-f63dca 1248->1252 1249->1238 1253 f63e21-f63e4b 1251->1253 1254 f63e6f-f63e7d 1251->1254 1252->1251 1253->1254 1265 f63e4d-f63e67 1253->1265 1256 f63e83-f63f36 1254->1256 1257 f64191 1254->1257 1278 f63fc6-f640bd 1256->1278 1279 f63f3c-f63fbf 1256->1279 1257->1238 1265->1254 1294 f640c3-f64146 1278->1294 1295 f6414d 1278->1295 1279->1278 1294->1295 1295->1257 1301->1223 1302->1223 1303->1223 1304->1223
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: \OGl$2Gl
                                                                                                  • API String ID: 0-915996941
                                                                                                  • Opcode ID: 9382aab2f3a9ae4d3f8c9d59584c258d87ce599b1f1d7776a456bc3344dd6880
                                                                                                  • Instruction ID: b24d709817bf64a211b9d7a7118e287d2c069d686114af6e8d49df261c1c1d0f
                                                                                                  • Opcode Fuzzy Hash: 9382aab2f3a9ae4d3f8c9d59584c258d87ce599b1f1d7776a456bc3344dd6880
                                                                                                  • Instruction Fuzzy Hash: D7323630A00218CFDB18EFB5D854BEDB7B2BB49309F1045A9D40AAB7A4DB759E85CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F6724F Relevance: 2.6, Strings: 1, Instructions: 1321COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1305 f6724f-f67266 1401 f67266 call b0a23a 1305->1401 1402 f67266 call b0a20c 1305->1402 1308 f6726b-f67277 1309 f67664 1308->1309 1310 f6727d-f67298 1308->1310 1311 f67669 1309->1311 1310->1309 1313 f6729e-f672b1 1310->1313 1314 f6766e-f67674 1311->1314 1317 f672b3-f672b9 1313->1317 1318 f672bb-f672ca 1313->1318 1319 f6731c-f67329 1317->1319 1318->1311 1322 f672d0-f672da 1318->1322 1325 f67330-f6734a 1319->1325 1323 f672e0 1322->1323 1324 f672dc-f672de 1322->1324 1326 f672e3-f67309 1323->1326 1324->1326 1331 f67351-f6739f 1325->1331 1332 f6734c 1325->1332 1333 f67313-f6731a 1326->1333 1334 f6730b-f67311 1326->1334 1342 f673a6-f673ec 1331->1342 1343 f673a1 1331->1343 1332->1331 1333->1319 1334->1319 1349 f673f3-f67423 1342->1349 1350 f673ee 1342->1350 1343->1342 1349->1309 1354 f67429-f67459 1349->1354 1350->1349 1358 f675e8-f675f6 1354->1358 1359 f6745e-f67464 1358->1359 1360 f675fc-f6761e 1358->1360 1359->1314 1361 f6746a-f67499 1359->1361 1360->1309 1362 f67620-f67624 1360->1362 1361->1311 1371 f6749f-f674c8 1361->1371 1363 f67626 1362->1363 1364 f6762b-f67632 1362->1364 1363->1364 1364->1314 1365 f67634-f67638 1364->1365 1367 f6763f-f67646 1365->1367 1368 f6763a 1365->1368 1367->1314 1369 f67648-f6765a 1367->1369 1368->1367 1369->1309 1375 f674cf-f674fa 1371->1375 1376 f674ca 1371->1376 1380 f67532-f6754d 1375->1380 1381 f674fc-f67505 1375->1381 1376->1375 1387 f67554-f6759b 1380->1387 1388 f6754f 1380->1388 1382 f67507-f6750b 1381->1382 1383 f67513-f67522 1381->1383 1382->1383 1383->1314 1385 f67528-f6752f 1383->1385 1385->1380 1394 f675a2-f675d3 1387->1394 1395 f6759d 1387->1395 1388->1387 1399 f675d5-f675d9 1394->1399 1400 f675df-f675e2 1394->1400 1395->1394 1399->1311 1399->1400 1400->1311 1400->1358 1401->1308 1402->1308
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: L.Gl
                                                                                                  • API String ID: 0-963225538
                                                                                                  • Opcode ID: f8ae1c363c78cde3ed5e78430ce28b47ae372aadc454ba438ee8656be630501e
                                                                                                  • Instruction ID: 7bab2555e54d86b86952ae5e5d0234918d7437d78602bf1c93a4e1ab304d21cd
                                                                                                  • Opcode Fuzzy Hash: f8ae1c363c78cde3ed5e78430ce28b47ae372aadc454ba438ee8656be630501e
                                                                                                  • Instruction Fuzzy Hash: 30B19C30B043018FDB18EB75C451BAE77E2AF84318F548478D416DB795EB39DC4AABA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B92B Relevance: 1.6, APIs: 1, Instructions: 106registryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1403 b0b92b-b0b9b6 1407 b0b9b8 1403->1407 1408 b0b9bb-b0b9c7 1403->1408 1407->1408 1409 b0b9c9 1408->1409 1410 b0b9cc-b0b9d5 1408->1410 1409->1410 1411 b0b9d7 1410->1411 1412 b0b9da-b0b9f1 1410->1412 1411->1412 1414 b0ba33-b0ba38 1412->1414 1415 b0b9f3-b0ba06 RegCreateKeyExW 1412->1415 1414->1415 1416 b0ba08-b0ba30 1415->1416 1417 b0ba3a-b0ba3f 1415->1417 1417->1416
                                                                                                  APIs
                                                                                                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 00B0B9F9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Create
                                                                                                  • String ID:
                                                                                                  • API String ID: 2289755597-0
                                                                                                  • Opcode ID: 9d9f41278d4330b2f89eba8360228e101da61f1993168a6e290985bae64874a5
                                                                                                  • Instruction ID: 34bcea57450e41923751bbe61f4c5f6ad7f279d86c1f7220cf71e35a5822a2d9
                                                                                                  • Opcode Fuzzy Hash: 9d9f41278d4330b2f89eba8360228e101da61f1993168a6e290985bae64874a5
                                                                                                  • Instruction Fuzzy Hash: 08319072504344AFE7228B61CC44FA7BFFCEF05710F18859AE985CB692D364E909CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B1E6 Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1422 b0b1e6-b0b1e8 1423 b0b1f2-b0b26d 1422->1423 1424 b0b1ea-b0b1f1 1422->1424 1428 b0b272-b0b289 1423->1428 1429 b0b26f 1423->1429 1424->1423 1431 b0b2cb-b0b2d0 1428->1431 1432 b0b28b-b0b29e RegOpenKeyExW 1428->1432 1429->1428 1431->1432 1433 b0b2a0-b0b2c8 1432->1433 1434 b0b2d2-b0b2d7 1432->1434 1434->1433
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00B0B291
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Open
                                                                                                  • String ID:
                                                                                                  • API String ID: 71445658-0
                                                                                                  • Opcode ID: 6f1ca3fa26e85f3a69cc7b690c5fa64194381b5b7b9d9e8918b70927493d5da1
                                                                                                  • Instruction ID: 79d0f1a2b013a1b3ded6a67cface03888b6b87fa6c8fdd13688f61832100abc6
                                                                                                  • Opcode Fuzzy Hash: 6f1ca3fa26e85f3a69cc7b690c5fa64194381b5b7b9d9e8918b70927493d5da1
                                                                                                  • Instruction Fuzzy Hash: DE3172714093846FD7228B61DC45FA6BFF8EF06210F1885DBE984DB592D364E909C771
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1439 b0aa75-b0aafe 1443 b0ab00 1439->1443 1444 b0ab03-b0ab0f 1439->1444 1443->1444 1445 b0ab11 1444->1445 1446 b0ab14-b0ab1d 1444->1446 1445->1446 1447 b0ab6e-b0ab73 1446->1447 1448 b0ab1f-b0ab43 CreateFileW 1446->1448 1447->1448 1451 b0ab75-b0ab7a 1448->1451 1452 b0ab45-b0ab6b 1448->1452 1451->1452
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00B0AB25
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 823142352-0
                                                                                                  • Opcode ID: b1244401d5e72349cfb0b20f06bb89026ad26bf273bd6d83f746c7ba6dc12351
                                                                                                  • Instruction ID: 682f39f926cde3abcc7bb0673ca425be3ffa20342497a3e57187f77a37e7f9c5
                                                                                                  • Opcode Fuzzy Hash: b1244401d5e72349cfb0b20f06bb89026ad26bf273bd6d83f746c7ba6dc12351
                                                                                                  • Instruction Fuzzy Hash: C2317071509380AFE721CF65CC85F56BFF8EF05310F08899EE9858B692D365E808CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B036 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1455 b0b036-b0b0b9 1459 b0b0bb 1455->1459 1460 b0b0be-b0b0c7 1455->1460 1459->1460 1461 b0b0c9 1460->1461 1462 b0b0cc-b0b0d5 1460->1462 1461->1462 1463 b0b126-b0b12b 1462->1463 1464 b0b0d7-b0b0fb CreateMutexW 1462->1464 1463->1464 1467 b0b12d-b0b132 1464->1467 1468 b0b0fd-b0b123 1464->1468 1467->1468
                                                                                                  APIs
                                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 00B0B0DD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateMutex
                                                                                                  • String ID:
                                                                                                  • API String ID: 1964310414-0
                                                                                                  • Opcode ID: 11af989e361365cdf82fe5c2008450c08ac847dec3560d25441b77291dfa9f2a
                                                                                                  • Instruction ID: 9c4426a33f0f171956a05655a876cff7d70b2ce8d04fb1fbfb33eba41c17de7e
                                                                                                  • Opcode Fuzzy Hash: 11af989e361365cdf82fe5c2008450c08ac847dec3560d25441b77291dfa9f2a
                                                                                                  • Instruction Fuzzy Hash: 2E318FB15093806FE711CB65DC85F96FFF8EF06310F18849AE984CB692D365E909CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B2D9 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1471 b0b2d9-b0b357 1474 b0b359 1471->1474 1475 b0b35c-b0b365 1471->1475 1474->1475 1476 b0b367 1475->1476 1477 b0b36a-b0b370 1475->1477 1476->1477 1478 b0b372 1477->1478 1479 b0b375-b0b38c 1477->1479 1478->1479 1481 b0b3c3-b0b3c8 1479->1481 1482 b0b38e-b0b3a1 RegQueryValueExW 1479->1482 1481->1482 1483 b0b3a3-b0b3c0 1482->1483 1484 b0b3ca-b0b3cf 1482->1484 1484->1483
                                                                                                  APIs
                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,1550A3C7,00000000,00000000,00000000,00000000), ref: 00B0B394
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3660427363-0
                                                                                                  • Opcode ID: 7f6f651a7763e6a1c02196575b1db71fcc8be1e6cfb5a3503261f56d852b85a6
                                                                                                  • Instruction ID: 5aef5fc64bc472b1e063aab66fd251b07c46c9cb7aab1451bdfbc7ec04df24e3
                                                                                                  • Opcode Fuzzy Hash: 7f6f651a7763e6a1c02196575b1db71fcc8be1e6cfb5a3503261f56d852b85a6
                                                                                                  • Instruction Fuzzy Hash: BA31B3711093846FE722CF61CC44FA2BFF8EF06314F1884DAE8858B592D360E908CB65
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B95E Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1488 b0b95e-b0b9b6 1491 b0b9b8 1488->1491 1492 b0b9bb-b0b9c7 1488->1492 1491->1492 1493 b0b9c9 1492->1493 1494 b0b9cc-b0b9d5 1492->1494 1493->1494 1495 b0b9d7 1494->1495 1496 b0b9da-b0b9f1 1494->1496 1495->1496 1498 b0ba33-b0ba38 1496->1498 1499 b0b9f3-b0ba06 RegCreateKeyExW 1496->1499 1498->1499 1500 b0ba08-b0ba30 1499->1500 1501 b0ba3a-b0ba3f 1499->1501 1501->1500
                                                                                                  APIs
                                                                                                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 00B0B9F9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Create
                                                                                                  • String ID:
                                                                                                  • API String ID: 2289755597-0
                                                                                                  • Opcode ID: a7bf67fb0c96f8b1059304f14ce649ed8e9ee2d58fc912b7aba76d8ad8709bee
                                                                                                  • Instruction ID: 7d3f1b4a603e4229ef33b581e8e7dc3a5ef1a721fc47e87d9f78c02af8e6958a
                                                                                                  • Opcode Fuzzy Hash: a7bf67fb0c96f8b1059304f14ce649ed8e9ee2d58fc912b7aba76d8ad8709bee
                                                                                                  • Instruction Fuzzy Hash: BA218D72600204AFEB21CF55CC84FA7BBFCEF08714F14855AEA49C7A91D760E9098BB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1506 b0a6ce-b0a72b 1507 b0a72e-b0a786 OleGetClipboard 1506->1507 1509 b0a78c-b0a7a2 1507->1509
                                                                                                  APIs
                                                                                                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00B0A77E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Clipboard
                                                                                                  • String ID:
                                                                                                  • API String ID: 220874293-0
                                                                                                  • Opcode ID: 1cf7389e57ada60ea5df1c97b43d116ed21b80c07ddce75cbf7ec751d384df72
                                                                                                  • Instruction ID: 8d06a25c39949bf8665559c63046700e0cdb78e4f5f506a8aee6ab78e6555049
                                                                                                  • Opcode Fuzzy Hash: 1cf7389e57ada60ea5df1c97b43d116ed21b80c07ddce75cbf7ec751d384df72
                                                                                                  • Instruction Fuzzy Hash: 82316D7104D3C06FD3138B259C61BA1BFB8EF47614F1A40CBE884CB6A3D2696919D772
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0BA41 Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1510 b0ba41-b0bacc 1513 b0bad1-b0bae8 1510->1513 1514 b0bace 1510->1514 1516 b0baea-b0bafd RegSetValueExW 1513->1516 1517 b0bb1f-b0bb24 1513->1517 1514->1513 1518 b0bb26-b0bb2b 1516->1518 1519 b0baff-b0bb1c 1516->1519 1517->1516 1518->1519
                                                                                                  APIs
                                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,1550A3C7,00000000,00000000,00000000,00000000), ref: 00B0BAF0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: d408d2ec9de76e955bdbe8ae64f1360f219d738cb24f3d342a0c85e6ca0ed468
                                                                                                  • Instruction ID: 1b914e00067694e906f3343e9b45a6ad3c1f71a1fb8d85272aec13df7ee7552b
                                                                                                  • Opcode Fuzzy Hash: d408d2ec9de76e955bdbe8ae64f1360f219d738cb24f3d342a0c85e6ca0ed468
                                                                                                  • Instruction Fuzzy Hash: 3231C1725097C06FD7228B618C45FA2FFB8EF06310F1885CEE9858B5A3D364E809C7A1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B4C8 Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1523 b0b4c8-b0b569 1527 b0b56b-b0b573 SendMessageTimeoutA 1523->1527 1528 b0b5ad-b0b5b2 1523->1528 1529 b0b579-b0b58b 1527->1529 1528->1527 1531 b0b5b4-b0b5b9 1529->1531 1532 b0b58d-b0b5aa 1529->1532 1531->1532
                                                                                                  APIs
                                                                                                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 00B0B571
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MessageSendTimeout
                                                                                                  • String ID:
                                                                                                  • API String ID: 1599653421-0
                                                                                                  • Opcode ID: 7d962b2045de5669f2c7f47d8e421bff6c747ac22d2e3ad32b9d027263b901df
                                                                                                  • Instruction ID: 604a0852408373fcd29f7d467a071dbaf7ba80e7ab35e278522b44e20b2def2f
                                                                                                  • Opcode Fuzzy Hash: 7d962b2045de5669f2c7f47d8e421bff6c747ac22d2e3ad32b9d027263b901df
                                                                                                  • Instruction Fuzzy Hash: 4821D571104340AFE7228F50DC44FA2FFB8EF46310F1884DEE9845B5A2D375A409CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0BCB0 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1535 b0bcb0-b0bd1d 1538 b0bd22-b0bd28 1535->1538 1539 b0bd1f 1535->1539 1540 b0bd2a 1538->1540 1541 b0bd2d-b0bd36 1538->1541 1539->1538 1540->1541 1542 b0bd38-b0bd40 LookupPrivilegeValueW 1541->1542 1543 b0bd79-b0bd7e 1541->1543 1544 b0bd46-b0bd58 1542->1544 1543->1542 1546 b0bd80-b0bd85 1544->1546 1547 b0bd5a-b0bd76 1544->1547 1546->1547
                                                                                                  APIs
                                                                                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00B0BD3E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3899507212-0
                                                                                                  • Opcode ID: 662cc858d778934608b26e10fc80f4459c02d2f2fb6c7e61f3b5d3a71d4c76c1
                                                                                                  • Instruction ID: 5b1d5df5651a754557bf398189948f994c6a173bac8bde5b5fd4394841c42d9d
                                                                                                  • Opcode Fuzzy Hash: 662cc858d778934608b26e10fc80f4459c02d2f2fb6c7e61f3b5d3a71d4c76c1
                                                                                                  • Instruction Fuzzy Hash: D82148725093C0AFD7128B65DC55BA2BFA8EF17310F0D85EBE884CB5A3D2249949CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0AE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1549 b0ae77-b0af05 1553 b0af07-b0af27 WriteFile 1549->1553 1554 b0af49-b0af4e 1549->1554 1557 b0af50-b0af55 1553->1557 1558 b0af29-b0af46 1553->1558 1554->1553 1557->1558
                                                                                                  APIs
                                                                                                  • WriteFile.KERNELBASE(?,00000E24,1550A3C7,00000000,00000000,00000000,00000000), ref: 00B0AF0D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3934441357-0
                                                                                                  • Opcode ID: fd078bf1ed9d2ee703208504333ec3edf04276e998f86adb5a86cf6afbadfaaf
                                                                                                  • Instruction ID: 492983ad817cac505fcd5ff7f875a51be51a93ef79511d0efea64e11f2ef1f64
                                                                                                  • Opcode Fuzzy Hash: fd078bf1ed9d2ee703208504333ec3edf04276e998f86adb5a86cf6afbadfaaf
                                                                                                  • Instruction Fuzzy Hash: 6721E7B1409380AFD722CF51DC44F96FFB8EF05314F1984DAE9849F562D264A509CB71
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B3EA Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,1550A3C7,00000000,00000000,00000000,00000000), ref: 00B0B480
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: ae8e8118334a18842b91d1b7fd759e1dca3105ecb509fceedd95827864162c75
                                                                                                  • Instruction ID: 7aa90cef60c65c176788b04b66bc50f289466b20d27da77826a1bcd5d0121731
                                                                                                  • Opcode Fuzzy Hash: ae8e8118334a18842b91d1b7fd759e1dca3105ecb509fceedd95827864162c75
                                                                                                  • Instruction Fuzzy Hash: 83219C725093806FD7228B11CC44FA6BFB8EF46310F18849AE9858B692D364E908CBB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00B0AB25
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 823142352-0
                                                                                                  • Opcode ID: 7338bc1d6cefff3b2f15d5a47da8d8f87e500134146958ee3d740d9dfeff7592
                                                                                                  • Instruction ID: 07bbc5e9541d8a67279f9c2b8c8928d26cc458c1608378e956dca2d1fa785839
                                                                                                  • Opcode Fuzzy Hash: 7338bc1d6cefff3b2f15d5a47da8d8f87e500134146958ee3d740d9dfeff7592
                                                                                                  • Instruction Fuzzy Hash: 70216B71504340AFEB21CF65CC85FA6FBE8EF08710F1489A9E9458B691D375E819CB72
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B212 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00B0B291
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Open
                                                                                                  • String ID:
                                                                                                  • API String ID: 71445658-0
                                                                                                  • Opcode ID: 915d356c1887ea7df12621cbfd952e571ac2a53c0ad6617ad0ce266ccb83dbfe
                                                                                                  • Instruction ID: 80b394f9dfe97b34da9e61c2a8a8acda87f5ea0f103e477f9b75e6a110836caf
                                                                                                  • Opcode Fuzzy Hash: 915d356c1887ea7df12621cbfd952e571ac2a53c0ad6617ad0ce266ccb83dbfe
                                                                                                  • Instruction Fuzzy Hash: 8121AE72500204AFE720DF51CC85FABFBECEF08724F14859AE9458BA91D764E9098AB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetFileType.KERNELBASE(?,00000E24,1550A3C7,00000000,00000000,00000000,00000000), ref: 00B0ACBD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileType
                                                                                                  • String ID:
                                                                                                  • API String ID: 3081899298-0
                                                                                                  • Opcode ID: 8a21f20dab5f55b43cbd8ab86534077aa2e79e5ac7f4b10c4fcb0a8c0aa57fe8
                                                                                                  • Instruction ID: c13011c3ee67821a951c7dfa7498a9fe07d39d1ac491fe4f8cafd468701dfa80
                                                                                                  • Opcode Fuzzy Hash: 8a21f20dab5f55b43cbd8ab86534077aa2e79e5ac7f4b10c4fcb0a8c0aa57fe8
                                                                                                  • Instruction Fuzzy Hash: EA21E7B54093806FE7128B51DC40BE2BFBCEF47714F1980DBE9848B693D264A909C772
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(?), ref: 00B0AA44
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2340568224-0
                                                                                                  • Opcode ID: cf200149022be10e852b8deb030930b554daacdc92c2b82916a6f4d99d1e6277
                                                                                                  • Instruction ID: 9ab839d55409e96e3b7febc21b48ecee2d6046106cf57e16709322153e122611
                                                                                                  • Opcode Fuzzy Hash: cf200149022be10e852b8deb030930b554daacdc92c2b82916a6f4d99d1e6277
                                                                                                  • Instruction Fuzzy Hash: 9E21486540E3C0AFD7138B258C64A51BFB4EF57624F0E81DBD8848F5A3C2689809CB72
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B06A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 00B0B0DD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateMutex
                                                                                                  • String ID:
                                                                                                  • API String ID: 1964310414-0
                                                                                                  • Opcode ID: 7baa80f3bafd389e4e495fea003fb3236a079940b824da8f6a233e465781c13d
                                                                                                  • Instruction ID: 77949c4fb73b375997f2a395c86a4df0ae75c00258677b31d87e8ae6dcbdb362
                                                                                                  • Opcode Fuzzy Hash: 7baa80f3bafd389e4e495fea003fb3236a079940b824da8f6a233e465781c13d
                                                                                                  • Instruction Fuzzy Hash: 86218071505240AFE720DF65DC85FA6FBE8EF04314F1484AAE9489B681E775E809CB72
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0AB7C Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00B0ABF0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                  • String ID:
                                                                                                  • API String ID: 2591292051-0
                                                                                                  • Opcode ID: 939826ffbbedc7939867c7c802b5815b9163c4bfbd2987a51c4068cc0b2887e8
                                                                                                  • Instruction ID: b0aae3b0b711df4a0c2ebfb773dcf52227989df5f6a8047eb9b70b3f0cdec0cd
                                                                                                  • Opcode Fuzzy Hash: 939826ffbbedc7939867c7c802b5815b9163c4bfbd2987a51c4068cc0b2887e8
                                                                                                  • Instruction Fuzzy Hash: 1C21CF754093C09FDB138B25DC95792BFB8EF07220F0984DBDC858F6A3D2649908CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B7B5 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 00B0B82A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CopyFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 1304948518-0
                                                                                                  • Opcode ID: 2e85de83713e3c7232a3ea6a39d2912ade2e956effceb41995568b7a4f9167f4
                                                                                                  • Instruction ID: f71e808d93a8db16434461f0971a454cfd09f3cc640b8837f1417e2d989b7680
                                                                                                  • Opcode Fuzzy Hash: 2e85de83713e3c7232a3ea6a39d2912ade2e956effceb41995568b7a4f9167f4
                                                                                                  • Instruction Fuzzy Hash: AC2163715053805FDB21CF25DC54BA2BFF8EF06710F0884DAED85DB662D265E804DB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B31A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,1550A3C7,00000000,00000000,00000000,00000000), ref: 00B0B394
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3660427363-0
                                                                                                  • Opcode ID: e146f75bd858eb5b17360456be9d2034af54e05abbfd2a1405889dbdfbbcbe52
                                                                                                  • Instruction ID: 82f73c14e3f6c82393a1ae8810e419ea7af7b48d8ff201a76edea1d3fece11b8
                                                                                                  • Opcode Fuzzy Hash: e146f75bd858eb5b17360456be9d2034af54e05abbfd2a1405889dbdfbbcbe52
                                                                                                  • Instruction Fuzzy Hash: 4C216D76600204AFE720CF55DC84FA6FBECEF04714F28859AED45CB691D760E908CAB5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B4F6 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 00B0B571
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MessageSendTimeout
                                                                                                  • String ID:
                                                                                                  • API String ID: 1599653421-0
                                                                                                  • Opcode ID: 312e7aa4c90fdb413e8dd78e0bbecc93816a5ea29e3564af222fc0dfe9b015d9
                                                                                                  • Instruction ID: 85d2716f1ced8b3240a52d0251a07626cbb6638051b61324202152dbad3aef5c
                                                                                                  • Opcode Fuzzy Hash: 312e7aa4c90fdb413e8dd78e0bbecc93816a5ea29e3564af222fc0dfe9b015d9
                                                                                                  • Instruction Fuzzy Hash: 1721A272400200AFEB218F50DC81FA6FBF8EF08714F14859EED459AAA1D375A519DBB5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B40E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,1550A3C7,00000000,00000000,00000000,00000000), ref: 00B0B480
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: 133de1733c2f17e63e6d7704a180db1ade25a5222d3be6f34f1890e154fa60d2
                                                                                                  • Instruction ID: c343ed674134f6eebca1ad9a8be36468c904aafaeb7fbaf9fad104267c7170cd
                                                                                                  • Opcode Fuzzy Hash: 133de1733c2f17e63e6d7704a180db1ade25a5222d3be6f34f1890e154fa60d2
                                                                                                  • Instruction Fuzzy Hash: A6118E76500604AFE7218F11DC80FAAFBECEF04714F14859AED459AB92D764E9098AB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05590006 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • K32EnumProcesses.KERNEL32(?,?,?,1550A3C7,00000000,?,?,?,?,?,?,?,?,6CDA3C58), ref: 05590072
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2137580885.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_5590000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnumProcesses
                                                                                                  • String ID:
                                                                                                  • API String ID: 84517404-0
                                                                                                  • Opcode ID: 74c9051ab18c9f543b22feb102c0dae7286adbf4da09e5378b070e203b5debee
                                                                                                  • Instruction ID: c56a2b64d158870ab0d001bad982f31b97b7422cdac892e9c5846639938adf33
                                                                                                  • Opcode Fuzzy Hash: 74c9051ab18c9f543b22feb102c0dae7286adbf4da09e5378b070e203b5debee
                                                                                                  • Instruction Fuzzy Hash: 542193715053809FDB11CF65DC45B92BFF8FF06220F0984AAE985CB262D274E948CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0A61E Relevance: 1.6, APIs: 1, Instructions: 63comCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2538663250-0
                                                                                                  • Opcode ID: 9c3a4b799ad89c2bd310579f312d8d577f0c9d4249c4a106b48dbc2ef04f483a
                                                                                                  • Instruction ID: 9a6d59d79f0753c6e9980bc3215e45c2df65f090e6922d2add2f2a0b1d48597c
                                                                                                  • Opcode Fuzzy Hash: 9c3a4b799ad89c2bd310579f312d8d577f0c9d4249c4a106b48dbc2ef04f483a
                                                                                                  • Instruction Fuzzy Hash: BC214A714093C4AFDB128B25DC95B92BFB4EF07220F0984DBDD849F1A3D2659908CBB2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0BA86 Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,1550A3C7,00000000,00000000,00000000,00000000), ref: 00B0BAF0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: c2448631452d221e70895e6cd32924636c9796a4a2832699a19f00669f450878
                                                                                                  • Instruction ID: ad69fd706aab11872807dae3951ca39b45f9da3975cf71f68c233219049ff6cc
                                                                                                  • Opcode Fuzzy Hash: c2448631452d221e70895e6cd32924636c9796a4a2832699a19f00669f450878
                                                                                                  • Instruction Fuzzy Hash: FB11B272500600AFE7218F41CC80FA6FBE8EF04710F14859AE9468BA91D770E819CAB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B0A5DE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DuplicateHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3793708945-0
                                                                                                  • Opcode ID: 0695aa4038b3927b13e541740c00d69dc14cfc9557e4202fa4f16c61b3c410cf
                                                                                                  • Instruction ID: 8645c12af3e1eebfd33e5d5f627b4f9b4128d2ebde10b59b203b955a3863a435
                                                                                                  • Opcode Fuzzy Hash: 0695aa4038b3927b13e541740c00d69dc14cfc9557e4202fa4f16c61b3c410cf
                                                                                                  • Instruction Fuzzy Hash: 63118771405380AFDB228F51DC44B62FFF4EF4A310F0889DAED858B562C275A919DB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0AEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WriteFile.KERNELBASE(?,00000E24,1550A3C7,00000000,00000000,00000000,00000000), ref: 00B0AF0D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3934441357-0
                                                                                                  • Opcode ID: ce99f87040616176a57defd3c13ca178548ced5336b4941b92935159b1c7b79f
                                                                                                  • Instruction ID: 8b35aea98f32a107417727d4816cf8fc36b91e8236887dd4cff9604bf106c389
                                                                                                  • Opcode Fuzzy Hash: ce99f87040616176a57defd3c13ca178548ced5336b4941b92935159b1c7b79f
                                                                                                  • Instruction Fuzzy Hash: 5B11C471404300AFEB21CF51DC84FA6FBE8EF04714F14889AED459B651C774E4198BB2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 055902BC Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 05590318
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2137580885.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_5590000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShell
                                                                                                  • String ID:
                                                                                                  • API String ID: 587946157-0
                                                                                                  • Opcode ID: 91cc6889511fe3a61d678914a7c6eb285b12dff3f35fa48cd36744ce30379d42
                                                                                                  • Instruction ID: 094e9c6fbf79f5f21bee1d326e15d0d2cd2231213fb9da7bbdd75ea21d2c0622
                                                                                                  • Opcode Fuzzy Hash: 91cc6889511fe3a61d678914a7c6eb285b12dff3f35fa48cd36744ce30379d42
                                                                                                  • Instruction Fuzzy Hash: EA1186715093C09FDB11CF25DC54B56BFB8EF06210F0884EAED49CF6A2D264E908CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B885 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DeleteFileW.KERNELBASE(?), ref: 00B0B8E4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DeleteFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 4033686569-0
                                                                                                  • Opcode ID: ffdf863eaeb377830b1a9852e133c398169ca55009092b6117bc790ce8b5936c
                                                                                                  • Instruction ID: 5fba1fe56ef5fd29cc61f247a9618cc5981aaf0f7e6da9ae3332a34871962463
                                                                                                  • Opcode Fuzzy Hash: ffdf863eaeb377830b1a9852e133c398169ca55009092b6117bc790ce8b5936c
                                                                                                  • Instruction Fuzzy Hash: BA1182719093806FD711CB65DC45B56BFE8EF06220F0984EAED85CF662D264E948CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0BCF6 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00B0BD3E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3899507212-0
                                                                                                  • Opcode ID: 80bc06d3223162edac4c9a5ee21a27d9cc9a1bb4dac047e2be34cba3625948b3
                                                                                                  • Instruction ID: 6998de13e264303e70596c37a04368acaf4c44454585c53ecacce1472f5a4b31
                                                                                                  • Opcode Fuzzy Hash: 80bc06d3223162edac4c9a5ee21a27d9cc9a1bb4dac047e2be34cba3625948b3
                                                                                                  • Instruction Fuzzy Hash: 401130725002449FDB10CF59D885B66FBD8EF14710F0885AADD45CB691D775E804CA61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B7E2 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 00B0B82A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CopyFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 1304948518-0
                                                                                                  • Opcode ID: 80bc06d3223162edac4c9a5ee21a27d9cc9a1bb4dac047e2be34cba3625948b3
                                                                                                  • Instruction ID: 2b2cad0db7f436efdfc72a2f98b5c72f04e332258990e72e9e668d64c45b15f8
                                                                                                  • Opcode Fuzzy Hash: 80bc06d3223162edac4c9a5ee21a27d9cc9a1bb4dac047e2be34cba3625948b3
                                                                                                  • Instruction Fuzzy Hash: F0113C71A003409FDB60CF65D885BA6BBE8EF14720F08C4AADD49DB6A1D774E805CA71
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetFileType.KERNELBASE(?,00000E24,1550A3C7,00000000,00000000,00000000,00000000), ref: 00B0ACBD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileType
                                                                                                  • String ID:
                                                                                                  • API String ID: 3081899298-0
                                                                                                  • Opcode ID: 40cd8338a66c6d00ab5e5c1c66ced5d2acbd47110b0c441b1aacfbd219b411a8
                                                                                                  • Instruction ID: c50ff8152cf548efad174136224fe7b45a28865365da74c8ad33b7d14d25d0ce
                                                                                                  • Opcode Fuzzy Hash: 40cd8338a66c6d00ab5e5c1c66ced5d2acbd47110b0c441b1aacfbd219b411a8
                                                                                                  • Instruction Fuzzy Hash: 3E01D271504304AFE720CB01DC84BA6FBE8DF44724F28C49AED058BB91D774E8498AB2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B718 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForInputIdle.USER32(?,?), ref: 00B0B76F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: IdleInputWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 2200289081-0
                                                                                                  • Opcode ID: 070594638503bad911cc7502f25c82809ec5bfd90eb2e4968cf9bff216710b55
                                                                                                  • Instruction ID: 5c4a008d44f0dc7da733967786b1f2c49b8e5eee35736a4f2d8074842b4e0887
                                                                                                  • Opcode Fuzzy Hash: 070594638503bad911cc7502f25c82809ec5bfd90eb2e4968cf9bff216710b55
                                                                                                  • Instruction Fuzzy Hash: 64117071408384AFDB11CF55DC85B52FFE4EF46320F0984DAED858F262D275A908CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05590032 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • K32EnumProcesses.KERNEL32(?,?,?,1550A3C7,00000000,?,?,?,?,?,?,?,?,6CDA3C58), ref: 05590072
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2137580885.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_5590000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnumProcesses
                                                                                                  • String ID:
                                                                                                  • API String ID: 84517404-0
                                                                                                  • Opcode ID: ac8732de685f88662471456e7662323d936b0b5fdc5fd9384d9598522541b625
                                                                                                  • Instruction ID: 4b557b6bcb874b1963fdbdd79053bd51a3b3c2745864adf4b4ada88ca535b639
                                                                                                  • Opcode Fuzzy Hash: ac8732de685f88662471456e7662323d936b0b5fdc5fd9384d9598522541b625
                                                                                                  • Instruction Fuzzy Hash: 011161715002449FDB10CF55D889BA6FBE8FF04220F0888AADD498B6A1E775E448CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B8AA Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DeleteFileW.KERNELBASE(?), ref: 00B0B8E4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DeleteFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 4033686569-0
                                                                                                  • Opcode ID: dd752d3241c5cdc39ee8f69ee49d67282d9dc59a9122c834bae441dbae6e20ed
                                                                                                  • Instruction ID: 6580c6657a4c982601a334142a120f6fcfad3e46112c862191058bd54a397fc3
                                                                                                  • Opcode Fuzzy Hash: dd752d3241c5cdc39ee8f69ee49d67282d9dc59a9122c834bae441dbae6e20ed
                                                                                                  • Instruction Fuzzy Hash: 7F014C719002449FEB10CF65D885BA6BBE8EF04620F18C4AADD49CB792D774E808CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 055902DE Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 05590318
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2137580885.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_5590000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShell
                                                                                                  • String ID:
                                                                                                  • API String ID: 587946157-0
                                                                                                  • Opcode ID: 73625b9bb77cfbca8216f70e16c5a6d51c422ca69411c07dc9cc59bfbf8c9aa0
                                                                                                  • Instruction ID: 68465ba93efde4af1dfa781eba833793837b03045df35836ee5d8c7b5c7fe57f
                                                                                                  • Opcode Fuzzy Hash: 73625b9bb77cfbca8216f70e16c5a6d51c422ca69411c07dc9cc59bfbf8c9aa0
                                                                                                  • Instruction Fuzzy Hash: 5A0180715002449FDB54CF55D888BA6FBE8EF04220F08C8AADD09CB6A2D678E408CBA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B0A5DE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DuplicateHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3793708945-0
                                                                                                  • Opcode ID: 6cf78676f929aa1f0ddb77572d8c4305830b2e340ec45f2f28b40137574df4ed
                                                                                                  • Instruction ID: aa18cc65249bf564b7a85253b58feea6d9549c62f6a6e313444330e15524c16e
                                                                                                  • Opcode Fuzzy Hash: 6cf78676f929aa1f0ddb77572d8c4305830b2e340ec45f2f28b40137574df4ed
                                                                                                  • Instruction Fuzzy Hash: EC015B724007409FDB218F95DC84B62FFE4EF08720F08899ADE894A661C376E419DF62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0ABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00B0ABF0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                  • String ID:
                                                                                                  • API String ID: 2591292051-0
                                                                                                  • Opcode ID: 7b85a98b8f30811af272e9b4024171906c772ecae7b69ab19ef383bbe057da48
                                                                                                  • Instruction ID: 7301a14df15461c24318bc2b72b92001326ac0e3f066da85dff878a57407f9b5
                                                                                                  • Opcode Fuzzy Hash: 7b85a98b8f30811af272e9b4024171906c772ecae7b69ab19ef383bbe057da48
                                                                                                  • Instruction Fuzzy Hash: 60017C715042449FEB208F55DC857A6FBE4EF04320F18C8AADD498B692D675E808CA62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00B0A77E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Clipboard
                                                                                                  • String ID:
                                                                                                  • API String ID: 220874293-0
                                                                                                  • Opcode ID: 1a516d26203471a3cc7b59593a743de3030b8fdeca0ec77fc5c6b27a743ffc10
                                                                                                  • Instruction ID: 7d3c8c4159344ef05ca70f3ec85922537f38474fe79a962907f9631504579259
                                                                                                  • Opcode Fuzzy Hash: 1a516d26203471a3cc7b59593a743de3030b8fdeca0ec77fc5c6b27a743ffc10
                                                                                                  • Instruction Fuzzy Hash: D901D671600200ABD310DF16CC46B66FBF8FB88A20F248159EC089BB41D771F915CBE5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0B73A Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForInputIdle.USER32(?,?), ref: 00B0B76F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: IdleInputWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 2200289081-0
                                                                                                  • Opcode ID: 8ecabcd8aef14fdf119aa848b702a7f9b96d085bb524c27648053dc7fcb8d02f
                                                                                                  • Instruction ID: bcdaa879975172a8b0f13b62e21af9b11203e3ab57c3ede3a8a6e57e429af3fc
                                                                                                  • Opcode Fuzzy Hash: 8ecabcd8aef14fdf119aa848b702a7f9b96d085bb524c27648053dc7fcb8d02f
                                                                                                  • Instruction Fuzzy Hash: 83017C718002409FDB108F55D884B65FBE4EF44320F1888EADD488F692D375A809CA61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2538663250-0
                                                                                                  • Opcode ID: 081d1bf9675aff047b2c7949e1389e4e3e741e7897d64f7902829a8a8b5e6276
                                                                                                  • Instruction ID: 12c86b9cc579e934259e615eac74456f8441583467f188b8effb8bd14c394ce0
                                                                                                  • Opcode Fuzzy Hash: 081d1bf9675aff047b2c7949e1389e4e3e741e7897d64f7902829a8a8b5e6276
                                                                                                  • Instruction Fuzzy Hash: 1B014B718043449FDB10CF55D8857A6FBE4EF04720F18C8EADD498F6A2D276A809CEA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B0AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(?), ref: 00B0AA44
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131833924.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b0a000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2340568224-0
                                                                                                  • Opcode ID: 6be6c1bb82f3f8c4a8210fc1fed55a3c81dc0de86a0b7e8d1893b1861f4475a8
                                                                                                  • Instruction ID: 31fd106485201ab8353292e8cb3f3b629040fe5a9f3a0f026c463fb025275c89
                                                                                                  • Opcode Fuzzy Hash: 6be6c1bb82f3f8c4a8210fc1fed55a3c81dc0de86a0b7e8d1893b1861f4475a8
                                                                                                  • Instruction Fuzzy Hash: 1FF08C355003449FDB208F15D9847A1FFE4EF04724F18C4DADD494B792D2B9A908CEA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F639BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl
                                                                                                  • API String ID: 0-4153197625
                                                                                                  • Opcode ID: 51309c9675518fcd6123f41049d9e5a9c1b618b2bc309d7005c7a6961ca3222d
                                                                                                  • Instruction ID: 768ab3e288cea4625dff04620feb5dd786c8b51c5acc9fad534d89672eea72e6
                                                                                                  • Opcode Fuzzy Hash: 51309c9675518fcd6123f41049d9e5a9c1b618b2bc309d7005c7a6961ca3222d
                                                                                                  • Instruction Fuzzy Hash: 5C815A30E012188FDB14EFB5C855BECB7B2AF49308F5085A9D00AAB7A4DB759E85CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F63B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl
                                                                                                  • API String ID: 0-4153197625
                                                                                                  • Opcode ID: eadc1e3d2b3179b5cc6b28ee3e4f850920545156bd7b80a820b0455d003d924b
                                                                                                  • Instruction ID: 2ca1883a8f4377bee0580c0346c0ff47f8c9c08f1b5497340b5613c6788e8b3b
                                                                                                  • Opcode Fuzzy Hash: eadc1e3d2b3179b5cc6b28ee3e4f850920545156bd7b80a820b0455d003d924b
                                                                                                  • Instruction Fuzzy Hash: A8413830E002188FDB14EBB5C855BECB7F2BF49309F5041A9D009AB6A5DB754E48CF62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F63558 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l
                                                                                                  • API String ID: 0-533218248
                                                                                                  • Opcode ID: e0e653dd78bc0210db77a92c121a209a67e0c2775444cf096f12bb72fe600c94
                                                                                                  • Instruction ID: a42bd0403b04c04cd6e4bcae0a52cf15a6aa4ed5b8e9d14725262cb7249679bb
                                                                                                  • Opcode Fuzzy Hash: e0e653dd78bc0210db77a92c121a209a67e0c2775444cf096f12bb72fe600c94
                                                                                                  • Instruction Fuzzy Hash: B3318530B002119FDB04B7BAD8117BE77E69B88309F144029D506D77A5EF799D07D7A1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 010705E0 Relevance: .0, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133734848.0000000001070000.00000040.00000020.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_1070000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 04ca4f624d8dbd89f0a48be61b1e6dd7d4508ce8bc61cab46a175cc3f75fa8d0
                                                                                                  • Instruction ID: d0217a95fd39bf4bfc99bca07865b47aa676c9cda8e0d8472bc8d37f5792ff4d
                                                                                                  • Opcode Fuzzy Hash: 04ca4f624d8dbd89f0a48be61b1e6dd7d4508ce8bc61cab46a175cc3f75fa8d0
                                                                                                  • Instruction Fuzzy Hash: A60186B55097806FD7118F15DC508A3FFF8DF86620709859FEC898B612D225B808CB72
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F63440 Relevance: .0, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7d1e40ab54b5a9ee378f4e24a89b68696c30509ba86abc8a70d56889e4285589
                                                                                                  • Instruction ID: 97316774a108d9aaffdbe35b712e9724c875deef4cb6b8ff0057b90a6b620dd1
                                                                                                  • Opcode Fuzzy Hash: 7d1e40ab54b5a9ee378f4e24a89b68696c30509ba86abc8a70d56889e4285589
                                                                                                  • Instruction Fuzzy Hash: FB01613450A381CFCB00EBB6D45848D7FE1AFC8309B4488ADE449CB776EB708949CB52
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F600A8 Relevance: .0, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 16ed7c5a24a3fb9b6619cd49b5d23cef3ec1dfa5834f4e5c6353568f45f7fcfe
                                                                                                  • Instruction ID: f0a1644885aad14a480b4b8d2f525d311bf76ef7978b8e62f17055613c2a8da2
                                                                                                  • Opcode Fuzzy Hash: 16ed7c5a24a3fb9b6619cd49b5d23cef3ec1dfa5834f4e5c6353568f45f7fcfe
                                                                                                  • Instruction Fuzzy Hash: BFF09072A41304ABEB14DA70C856BAE7FB2EF81728F1085BEE545DB2C1DE369841C780
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 01070606 Relevance: .0, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133734848.0000000001070000.00000040.00000020.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_1070000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d8d2793bb4451de764531d56a1ac9a189371e2d14f2b65e94a6f1aaf405f61d8
                                                                                                  • Instruction ID: f8481f23b27a2152310b9bccd589a8396436eb95da085460c51055432c8367f4
                                                                                                  • Opcode Fuzzy Hash: d8d2793bb4451de764531d56a1ac9a189371e2d14f2b65e94a6f1aaf405f61d8
                                                                                                  • Instruction Fuzzy Hash: 83E092B66006044BD650CF0AEC814A2F7D8EB88630B18C47FDC0D8BB11D275B908CEB5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F64200 Relevance: .0, Instructions: 21COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6fc44e90906f677d3587e6652dcfe5a9d591844e07f5122323dc740aab1855a0
                                                                                                  • Instruction ID: faa5e9d39c316d3729d3cef06189ebc098ccdc09c06a32b68b56636c3618c5d2
                                                                                                  • Opcode Fuzzy Hash: 6fc44e90906f677d3587e6652dcfe5a9d591844e07f5122323dc740aab1855a0
                                                                                                  • Instruction Fuzzy Hash: B3E08C3090E288AFC741CF68DC215897BF8DA06204B1180FBD849C32A2EA312E04CB92
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F63510 Relevance: .0, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d9be92b91809d8fd46c5f90fa18f74f0d35d6ac8b4e517bcea9860bbc1211a6f
                                                                                                  • Instruction ID: 87213006f0645220e330c15fa2098171334b089be1dd7315c9725b687294aef0
                                                                                                  • Opcode Fuzzy Hash: d9be92b91809d8fd46c5f90fa18f74f0d35d6ac8b4e517bcea9860bbc1211a6f
                                                                                                  • Instruction Fuzzy Hash: 1EE0177120A345CFD71A2B34A42949C3775AB5630D3A404BED4068B796EB3AE982C780
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B023F4 Relevance: .0, Instructions: 15COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131697629.0000000000B02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B02000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b02000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ef29c8092a3c94f8fb17f05603532d375a348fa209e0219c77188aeac424c3bc
                                                                                                  • Instruction ID: 66b5c8613feebb765c8f010a3ca4e4e34069d8c2235b29223cb87447bf6fd3d8
                                                                                                  • Opcode Fuzzy Hash: ef29c8092a3c94f8fb17f05603532d375a348fa209e0219c77188aeac424c3bc
                                                                                                  • Instruction Fuzzy Hash: 01D05E792056C14FD3169B1CC1A9B993BD4AB91714F4A44F9AC008B7B3C768E9C5D650
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00F64210 Relevance: .0, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2133624257.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_f60000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ab1087c1c9740efc698e666659d9cf4260e64113534cfb1b8e15bc615c42613b
                                                                                                  • Instruction ID: e785a997f9f2c15d4bcab75c068f9b832bb86e5bd670e130b3afbe367a0525a3
                                                                                                  • Opcode Fuzzy Hash: ab1087c1c9740efc698e666659d9cf4260e64113534cfb1b8e15bc615c42613b
                                                                                                  • Instruction Fuzzy Hash: 77D0C971A15208EF8744DFA8DD0199DB7F9EB45319B1181FAA809D3250EF315E00DB81
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B023BC Relevance: .0, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.2131697629.0000000000B02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B02000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_b02000_N1aqZIb7KG.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 77fa8ef225a13959adaf5c45cca07f985a2aaf3580fb443ff37dea424ed3321d
                                                                                                  • Instruction ID: 3df8e343d5e2f8c196d71ad7ee298a556c4c252439ea908b5286f0745325c2b5
                                                                                                  • Opcode Fuzzy Hash: 77fa8ef225a13959adaf5c45cca07f985a2aaf3580fb443ff37dea424ed3321d
                                                                                                  • Instruction Fuzzy Hash: 25D05E342002814FCB15DB0CD2D8F593BD8AB80715F0644E8AC108B7A2C7B8E8C4CA00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:37.8%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:125
                                                                                                  Total number of Limit Nodes:5
                                                                                                  execution_graph 17794 272b873 17796 272b8aa DeleteFileW 17794->17796 17797 272b8ec 17796->17797 17866 272a573 17867 272a59a DuplicateHandle 17866->17867 17869 272a5e6 17867->17869 17870 272af76 17871 272afaa CreateMutexW 17870->17871 17873 272b025 17871->17873 17798 272aa75 17799 272aaa6 CreateFileW 17798->17799 17801 272ab2d 17799->17801 17834 272b6f5 17835 272b722 CopyFileW 17834->17835 17837 272b772 17835->17837 17676 272b67a 17677 272b6a9 WaitForInputIdle 17676->17677 17678 272b6df 17676->17678 17679 272b6b7 17677->17679 17678->17677 17898 59f1416 17900 59f1436 WSASocketW 17898->17900 17901 59f14aa 17900->17901 17902 59f0006 17903 59f0032 NtQuerySystemInformation 17902->17903 17905 59f007c 17903->17905 17722 272adee 17725 272ae23 ReadFile 17722->17725 17724 272ae55 17725->17724 17906 59f183c 17908 59f1862 ConvertStringSecurityDescriptorToSecurityDescriptorW 17906->17908 17909 59f18db 17908->17909 17802 272b658 17803 272b67a WaitForInputIdle 17802->17803 17805 272b6b7 17803->17805 17758 272a65e 17759 272a6c0 17758->17759 17760 272a68a FindCloseChangeNotification 17758->17760 17759->17760 17761 272a698 17760->17761 17770 59f0032 17771 59f0067 NtQuerySystemInformation 17770->17771 17772 59f0092 17770->17772 17773 59f007c 17771->17773 17772->17771 17806 59f23aa 17807 59f23e0 FormatMessageW 17806->17807 17809 59f246a 17807->17809 17782 272bd4e 17783 272bd7d AdjustTokenPrivileges 17782->17783 17785 272bd9f 17783->17785 17838 272a6ce 17839 272a72e OleGetClipboard 17838->17839 17841 272a78c 17839->17841 17910 272adce 17913 272adee ReadFile 17910->17913 17912 272ae55 17913->17912 17846 59f2122 17848 59f2152 WSAConnect 17846->17848 17849 59f21a6 17848->17849 17810 59f21de 17812 59f221a GetProcessWorkingSetSize 17810->17812 17813 59f227b 17812->17813 17878 59f22db 17880 59f22fe SetProcessWorkingSetSize 17878->17880 17881 59f235f 17880->17881 17814 272ac37 17816 272ac6a GetFileType 17814->17816 17817 272accc 17816->17817 17914 272a9bf 17917 272a9c9 SetErrorMode 17914->17917 17916 272aa53 17917->17916 17850 59f1f50 17853 59f1f72 getaddrinfo 17850->17853 17852 59f201f 17853->17852 17695 272b722 17697 272b74b CopyFileW 17695->17697 17698 272b772 17697->17698 17699 272aaa6 17701 272aade CreateFileW 17699->17701 17702 272ab2d 17701->17702 17882 272b126 17883 272b12a RegOpenKeyExW 17882->17883 17885 272b1e0 17883->17885 17918 59f1e48 17920 59f1e66 GetProcessTimes 17918->17920 17921 59f1eed 17920->17921 17707 272b8aa 17708 272b8d0 DeleteFileW 17707->17708 17710 272b8ec 17708->17710 17711 272afaa 17714 272afe2 CreateMutexW 17711->17714 17713 272b025 17714->17713 17886 272b32a 17887 272b34e RegSetValueExW 17886->17887 17889 272b3cf 17887->17889 17858 59f0544 17861 59f0582 GetExitCodeProcess 17858->17861 17860 59f05e0 17861->17860 17730 272aa12 17731 272aa67 17730->17731 17732 272aa3e SetErrorMode 17730->17732 17731->17732 17733 272aa53 17732->17733 17894 272bd17 17895 272bd21 AdjustTokenPrivileges 17894->17895 17897 272bd9f 17895->17897 17746 272a59a 17747 272a610 17746->17747 17748 272a5d8 DuplicateHandle 17746->17748 17747->17748 17749 272a5e6 17748->17749 17818 272b219 17819 272b25a RegQueryValueExW 17818->17819 17821 272b2e3 17819->17821 17862 272be99 17864 272beca K32EnumProcesses 17862->17864 17865 272bf12 17864->17865 17822 272a61e 17823 272a65e FindCloseChangeNotification 17822->17823 17825 272a698 17823->17825 17826 59f19f2 17828 59f1a12 MapViewOfFile 17826->17828 17829 59f1a99 17828->17829 17830 272b408 17832 272b436 SendMessageTimeoutA 17830->17832 17833 272b4b9 17832->17833 17922 272bb88 17924 272bba8 LookupPrivilegeValueW 17922->17924 17925 272bc1e 17924->17925

                                                                                                  Executed Functions

                                                                                                  Function 05034298 Relevance: 13.2, Strings: 9, Instructions: 1950COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l$:@ l$:@ l$:@ l$:@ l$@$\OGl$2Gl
                                                                                                  • API String ID: 0-3909392376
                                                                                                  • Opcode ID: 54e3ff76201acae6a25d31339bb261bf771ae388892073f46a8b358bb0229233
                                                                                                  • Instruction ID: 82fca4c9093a237d5c309a9e98d2bf4ca2a377d05b50b0d9bf7ee968ed4b5436
                                                                                                  • Opcode Fuzzy Hash: 54e3ff76201acae6a25d31339bb261bf771ae388892073f46a8b358bb0229233
                                                                                                  • Instruction Fuzzy Hash: 23233878A01228CFDB24EF25D854BADB7B2BF48308F0041E9D849A7794DB359E86CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0503428F Relevance: 13.0, Strings: 9, Instructions: 1743COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $:@ l$:@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-3866679809
                                                                                                  • Opcode ID: 3c0c23f13687b88dbb198ae8c99b57ee11cde1b8d53d2cf258b1368d7653f8a2
                                                                                                  • Instruction ID: a7209581d32ab2402a895b059069060bffd8b8dfc42f30beda4d55a4a381c78b
                                                                                                  • Opcode Fuzzy Hash: 3c0c23f13687b88dbb198ae8c99b57ee11cde1b8d53d2cf258b1368d7653f8a2
                                                                                                  • Instruction Fuzzy Hash: E6133B78A01228CFDB24EF25D854BADB7B2BF48308F0042E9D94967795DB319E86CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050344F1 Relevance: 12.9, Strings: 9, Instructions: 1624COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1115 50344f1-503467d 1136 5034683-50347d2 1115->1136 1137 503480d-5034821 1115->1137 1136->1137 1138 5034827-503492c 1137->1138 1139 503496f-5034983 1137->1139 1335 5034934 1138->1335 1141 50349d6-50349ea 1139->1141 1142 5034985-503498b call 5034210 1139->1142 1144 5034a32-5034a46 1141->1144 1145 50349ec-50349f7 1141->1145 1147 5034990-503499b 1142->1147 1148 5034b94-5034ba8 1144->1148 1149 5034a4c-5034b59 1144->1149 1145->1144 1147->1141 1152 5034cd4-5034ce8 1148->1152 1153 5034bae-5034bc2 1148->1153 1149->1148 1160 5034f74-5034f88 1152->1160 1161 5034cee-5034f2d 1152->1161 1156 5034bd0-5034be4 1153->1156 1157 5034bc4-5034bcb 1153->1157 1164 5034be6-5034bed 1156->1164 1165 5034bef-5034c03 1156->1165 1163 5034c48-5034c5c 1157->1163 1166 5034fe2-5034ff6 1160->1166 1167 5034f8a-5034f9b 1160->1167 1161->1160 1170 5034c76-5034c82 1163->1170 1171 5034c5e-5034c74 1163->1171 1164->1163 1174 5034c05-5034c0c 1165->1174 1175 5034c0e-5034c22 1165->1175 1168 5035045-5035059 1166->1168 1169 5034ff8-5034ffe 1166->1169 1167->1166 1181 50350a2-50350b6 1168->1181 1182 503505b 1168->1182 1169->1168 1180 5034c8d 1170->1180 1171->1180 1174->1163 1177 5034c24-5034c2b 1175->1177 1178 5034c2d-5034c41 1175->1178 1177->1163 1178->1163 1185 5034c43-5034c45 1178->1185 1180->1152 1187 50350b8-50350e1 1181->1187 1188 503512d-5035141 1181->1188 1182->1181 1185->1163 1187->1188 1193 5035147-5035363 1188->1193 1194 50353b4-50353c8 1188->1194 1575 5035367 1193->1575 1576 5035365 1193->1576 1200 503549e-50354b2 1194->1200 1201 50353ce-50353de 1194->1201 1204 50354b8-50355e7 1200->1204 1205 503566f-5035683 1200->1205 1639 50353e4 call 2801047 1201->1639 1640 50353e4 call 280106e 1201->1640 1542 50355f2-5035628 1204->1542 1210 50357e6-50357fa 1205->1210 1211 5035689-5035794 1205->1211 1213 5035800-503590b 1210->1213 1214 503595d-5035971 1210->1214 1499 503579f 1211->1499 1508 5035916 1213->1508 1221 5035977-5035a82 1214->1221 1222 5035ad4-5035ae8 1214->1222 1523 5035a8d 1221->1523 1230 5035c4b-5035c5f 1222->1230 1231 5035aee-5035bf9 1222->1231 1225 50353ea-5035450 1309 5035457 1225->1309 1235 5035dc2-5035dd6 1230->1235 1236 5035c65-5035d70 1230->1236 1531 5035c04 1231->1531 1241 5035f39-5035f4d 1235->1241 1242 5035ddc-5035ee7 1235->1242 1546 5035d7b 1236->1546 1248 5035f53-5036069 1241->1248 1249 50360b0-50360c4 1241->1249 1559 5035ef2 1242->1559 1248->1249 1263 5036227-503623b 1249->1263 1264 50360ca-50361d5 1249->1264 1272 5036241-503634c 1263->1272 1273 503639e-50363b2 1263->1273 1579 50361e0 1264->1579 1581 5036357 1272->1581 1281 5036536-503654a 1273->1281 1282 50363b8-50363fd call 5034278 1273->1282 1286 5036550-503656f 1281->1286 1287 503668d-50366a1 1281->1287 1404 50364bd-50364df 1282->1404 1322 5036614-5036636 1286->1322 1299 50366a7-50367a7 1287->1299 1300 50367ee-5036802 1287->1300 1299->1300 1306 5036808-5036908 1300->1306 1307 503694f-5036963 1300->1307 1306->1307 1319 5036ab0-5036ada 1307->1319 1320 5036969-5036a69 1307->1320 1309->1200 1350 5036ae0-5036b53 1319->1350 1351 5036b9a-5036bae 1319->1351 1320->1319 1333 5036574-5036583 1322->1333 1334 503663c 1322->1334 1343 5036589-50365bc 1333->1343 1344 503663e 1333->1344 1334->1287 1335->1139 1436 5036603-503660c 1343->1436 1437 50365be-50365f8 1343->1437 1376 5036643-503668b 1344->1376 1350->1351 1357 5036bb4-5036c0b 1351->1357 1358 5036c8b-5036c9f 1351->1358 1482 5036c12-5036c44 1357->1482 1373 5036de5-5036df9 1358->1373 1374 5036ca5-5036d97 1358->1374 1384 5036dff-5036e4f 1373->1384 1385 503705c-5037070 1373->1385 1612 5036d9e 1374->1612 1376->1287 1503 5036e51-5036e77 1384->1503 1504 5036ebd-5036ee8 1384->1504 1395 5037076-5037111 call 5034278 * 2 1385->1395 1396 5037158-503715f 1385->1396 1395->1396 1417 5036402-5036411 1404->1417 1418 50364e5 1404->1418 1431 50364e7 1417->1431 1432 5036417-50364b5 1417->1432 1418->1281 1465 50364ec-5036534 1431->1465 1432->1465 1574 50364b7 1432->1574 1436->1376 1448 503660e 1436->1448 1437->1436 1448->1322 1465->1281 1482->1358 1499->1210 1571 5036e79-5036e92 1503->1571 1572 5036eb8 1503->1572 1577 5036fc6-5037057 1504->1577 1578 5036eee-5036fc1 1504->1578 1508->1214 1523->1222 1531->1230 1542->1205 1546->1235 1559->1241 1607 5036e99 1571->1607 1572->1385 1574->1404 1582 503536d 1575->1582 1576->1582 1577->1385 1578->1385 1579->1263 1581->1273 1582->1194 1607->1572 1612->1373 1639->1225 1640->1225
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $:@ l$:@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-3866679809
                                                                                                  • Opcode ID: 448c81dd35ad9ffae575603ab3695168edb84429e5484088af829c0c1f93e3ad
                                                                                                  • Instruction ID: 8551ac987c8064f2c9bf01aebe43052cc4e66d343bf2763e0aaf1cd16d7def07
                                                                                                  • Opcode Fuzzy Hash: 448c81dd35ad9ffae575603ab3695168edb84429e5484088af829c0c1f93e3ad
                                                                                                  • Instruction Fuzzy Hash: BB033A78A01228CFDB25EF25D854BADB7B2BF48308F0042E9D94967794DB319E86CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05034544 Relevance: 12.9, Strings: 9, Instructions: 1618COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1641 5034544-503467d 1659 5034683-50347d2 1641->1659 1660 503480d-5034821 1641->1660 1659->1660 1661 5034827-503492c 1660->1661 1662 503496f-5034983 1660->1662 1858 5034934 1661->1858 1664 50349d6-50349ea 1662->1664 1665 5034985-503498b call 5034210 1662->1665 1667 5034a32-5034a46 1664->1667 1668 50349ec-50349f7 1664->1668 1670 5034990-503499b 1665->1670 1671 5034b94-5034ba8 1667->1671 1672 5034a4c-5034b59 1667->1672 1668->1667 1670->1664 1675 5034cd4-5034ce8 1671->1675 1676 5034bae-5034bc2 1671->1676 1672->1671 1683 5034f74-5034f88 1675->1683 1684 5034cee-5034f2d 1675->1684 1679 5034bd0-5034be4 1676->1679 1680 5034bc4-5034bcb 1676->1680 1687 5034be6-5034bed 1679->1687 1688 5034bef-5034c03 1679->1688 1686 5034c48-5034c5c 1680->1686 1689 5034fe2-5034ff6 1683->1689 1690 5034f8a-5034f9b 1683->1690 1684->1683 1693 5034c76-5034c82 1686->1693 1694 5034c5e-5034c74 1686->1694 1687->1686 1697 5034c05-5034c0c 1688->1697 1698 5034c0e-5034c22 1688->1698 1691 5035045-5035059 1689->1691 1692 5034ff8-5034ffe 1689->1692 1690->1689 1704 50350a2-50350b6 1691->1704 1705 503505b 1691->1705 1692->1691 1703 5034c8d 1693->1703 1694->1703 1697->1686 1700 5034c24-5034c2b 1698->1700 1701 5034c2d-5034c41 1698->1701 1700->1686 1701->1686 1708 5034c43-5034c45 1701->1708 1703->1675 1710 50350b8-50350e1 1704->1710 1711 503512d-5035141 1704->1711 1705->1704 1708->1686 1710->1711 1716 5035147-5035363 1711->1716 1717 50353b4-50353c8 1711->1717 2098 5035367 1716->2098 2099 5035365 1716->2099 1723 503549e-50354b2 1717->1723 1724 50353ce-50353de 1717->1724 1727 50354b8-50355e7 1723->1727 1728 503566f-5035683 1723->1728 2162 50353e4 call 2801047 1724->2162 2163 50353e4 call 280106e 1724->2163 2065 50355f2-5035628 1727->2065 1733 50357e6-50357fa 1728->1733 1734 5035689-5035794 1728->1734 1736 5035800-503590b 1733->1736 1737 503595d-5035971 1733->1737 2022 503579f 1734->2022 2031 5035916 1736->2031 1744 5035977-5035a82 1737->1744 1745 5035ad4-5035ae8 1737->1745 2046 5035a8d 1744->2046 1753 5035c4b-5035c5f 1745->1753 1754 5035aee-5035bf9 1745->1754 1748 50353ea-5035450 1832 5035457 1748->1832 1758 5035dc2-5035dd6 1753->1758 1759 5035c65-5035d70 1753->1759 2054 5035c04 1754->2054 1764 5035f39-5035f4d 1758->1764 1765 5035ddc-5035ee7 1758->1765 2069 5035d7b 1759->2069 1771 5035f53-5036069 1764->1771 1772 50360b0-50360c4 1764->1772 2082 5035ef2 1765->2082 1771->1772 1786 5036227-503623b 1772->1786 1787 50360ca-50361d5 1772->1787 1795 5036241-503634c 1786->1795 1796 503639e-50363b2 1786->1796 2102 50361e0 1787->2102 2104 5036357 1795->2104 1804 5036536-503654a 1796->1804 1805 50363b8-50363fd call 5034278 1796->1805 1809 5036550-503656f 1804->1809 1810 503668d-50366a1 1804->1810 1927 50364bd-50364df 1805->1927 1845 5036614-5036636 1809->1845 1822 50366a7-50367a7 1810->1822 1823 50367ee-5036802 1810->1823 1822->1823 1829 5036808-5036908 1823->1829 1830 503694f-5036963 1823->1830 1829->1830 1842 5036ab0-5036ada 1830->1842 1843 5036969-5036a69 1830->1843 1832->1723 1873 5036ae0-5036b53 1842->1873 1874 5036b9a-5036bae 1842->1874 1843->1842 1856 5036574-5036583 1845->1856 1857 503663c 1845->1857 1866 5036589-50365bc 1856->1866 1867 503663e 1856->1867 1857->1810 1858->1662 1959 5036603-503660c 1866->1959 1960 50365be-50365f8 1866->1960 1899 5036643-503668b 1867->1899 1873->1874 1880 5036bb4-5036c0b 1874->1880 1881 5036c8b-5036c9f 1874->1881 2005 5036c12-5036c44 1880->2005 1896 5036de5-5036df9 1881->1896 1897 5036ca5-5036d97 1881->1897 1907 5036dff-5036e4f 1896->1907 1908 503705c-5037070 1896->1908 2135 5036d9e 1897->2135 1899->1810 2026 5036e51-5036e77 1907->2026 2027 5036ebd-5036ee8 1907->2027 1918 5037076-5037111 call 5034278 * 2 1908->1918 1919 5037158-503715f 1908->1919 1918->1919 1940 5036402-5036411 1927->1940 1941 50364e5 1927->1941 1954 50364e7 1940->1954 1955 5036417-50364b5 1940->1955 1941->1804 1988 50364ec-5036534 1954->1988 1955->1988 2097 50364b7 1955->2097 1959->1899 1971 503660e 1959->1971 1960->1959 1971->1845 1988->1804 2005->1881 2022->1733 2094 5036e79-5036e92 2026->2094 2095 5036eb8 2026->2095 2100 5036fc6-5037057 2027->2100 2101 5036eee-5036fc1 2027->2101 2031->1737 2046->1745 2054->1753 2065->1728 2069->1758 2082->1764 2130 5036e99 2094->2130 2095->1908 2097->1927 2105 503536d 2098->2105 2099->2105 2100->1908 2101->1908 2102->1786 2104->1796 2105->1717 2130->2095 2135->1896 2162->1748 2163->1748
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $:@ l$:@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-3866679809
                                                                                                  • Opcode ID: 0605db8b43707676c4d4be65f2c1bd6b65c2adb612748b93234c720fa2f9269f
                                                                                                  • Instruction ID: fd724931a409ecfd32f2f22b4a77db93f3c1e8622b6a5ba78803c2351391a2d2
                                                                                                  • Opcode Fuzzy Hash: 0605db8b43707676c4d4be65f2c1bd6b65c2adb612748b93234c720fa2f9269f
                                                                                                  • Instruction Fuzzy Hash: 21033A78A01228CFDB25EF25D854BADB7B2BF48308F0042E9D94967794DB319E86CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05034630 Relevance: 11.6, Strings: 8, Instructions: 1579COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 2164 5034630-503467d 2171 5034683-50347d2 2164->2171 2172 503480d-5034821 2164->2172 2171->2172 2173 5034827-503492c 2172->2173 2174 503496f-5034983 2172->2174 2370 5034934 2173->2370 2176 50349d6-50349ea 2174->2176 2177 5034985-503498b call 5034210 2174->2177 2179 5034a32-5034a46 2176->2179 2180 50349ec-50349f7 2176->2180 2182 5034990-503499b 2177->2182 2183 5034b94-5034ba8 2179->2183 2184 5034a4c-5034b59 2179->2184 2180->2179 2182->2176 2187 5034cd4-5034ce8 2183->2187 2188 5034bae-5034bc2 2183->2188 2184->2183 2195 5034f74-5034f88 2187->2195 2196 5034cee-5034f2d 2187->2196 2191 5034bd0-5034be4 2188->2191 2192 5034bc4-5034bcb 2188->2192 2199 5034be6-5034bed 2191->2199 2200 5034bef-5034c03 2191->2200 2198 5034c48-5034c5c 2192->2198 2201 5034fe2-5034ff6 2195->2201 2202 5034f8a-5034f9b 2195->2202 2196->2195 2205 5034c76-5034c82 2198->2205 2206 5034c5e-5034c74 2198->2206 2199->2198 2209 5034c05-5034c0c 2200->2209 2210 5034c0e-5034c22 2200->2210 2203 5035045-5035059 2201->2203 2204 5034ff8-5034ffe 2201->2204 2202->2201 2216 50350a2-50350b6 2203->2216 2217 503505b 2203->2217 2204->2203 2215 5034c8d 2205->2215 2206->2215 2209->2198 2212 5034c24-5034c2b 2210->2212 2213 5034c2d-5034c41 2210->2213 2212->2198 2213->2198 2220 5034c43-5034c45 2213->2220 2215->2187 2222 50350b8-50350e1 2216->2222 2223 503512d-5035141 2216->2223 2217->2216 2220->2198 2222->2223 2228 5035147-5035363 2223->2228 2229 50353b4-50353c8 2223->2229 2610 5035367 2228->2610 2611 5035365 2228->2611 2235 503549e-50354b2 2229->2235 2236 50353ce-50353de 2229->2236 2239 50354b8-50355e7 2235->2239 2240 503566f-5035683 2235->2240 2674 50353e4 call 2801047 2236->2674 2675 50353e4 call 280106e 2236->2675 2577 50355f2-5035628 2239->2577 2245 50357e6-50357fa 2240->2245 2246 5035689-5035794 2240->2246 2248 5035800-503590b 2245->2248 2249 503595d-5035971 2245->2249 2534 503579f 2246->2534 2543 5035916 2248->2543 2256 5035977-5035a82 2249->2256 2257 5035ad4-5035ae8 2249->2257 2558 5035a8d 2256->2558 2265 5035c4b-5035c5f 2257->2265 2266 5035aee-5035bf9 2257->2266 2260 50353ea-5035450 2344 5035457 2260->2344 2270 5035dc2-5035dd6 2265->2270 2271 5035c65-5035d70 2265->2271 2566 5035c04 2266->2566 2276 5035f39-5035f4d 2270->2276 2277 5035ddc-5035ee7 2270->2277 2581 5035d7b 2271->2581 2283 5035f53-5036069 2276->2283 2284 50360b0-50360c4 2276->2284 2594 5035ef2 2277->2594 2283->2284 2298 5036227-503623b 2284->2298 2299 50360ca-50361d5 2284->2299 2307 5036241-503634c 2298->2307 2308 503639e-50363b2 2298->2308 2614 50361e0 2299->2614 2616 5036357 2307->2616 2316 5036536-503654a 2308->2316 2317 50363b8-50363fd call 5034278 2308->2317 2321 5036550-503656f 2316->2321 2322 503668d-50366a1 2316->2322 2439 50364bd-50364df 2317->2439 2357 5036614-5036636 2321->2357 2334 50366a7-50367a7 2322->2334 2335 50367ee-5036802 2322->2335 2334->2335 2341 5036808-5036908 2335->2341 2342 503694f-5036963 2335->2342 2341->2342 2354 5036ab0-5036ada 2342->2354 2355 5036969-5036a69 2342->2355 2344->2235 2385 5036ae0-5036b53 2354->2385 2386 5036b9a-5036bae 2354->2386 2355->2354 2368 5036574-5036583 2357->2368 2369 503663c 2357->2369 2378 5036589-50365bc 2368->2378 2379 503663e 2368->2379 2369->2322 2370->2174 2471 5036603-503660c 2378->2471 2472 50365be-50365f8 2378->2472 2411 5036643-503668b 2379->2411 2385->2386 2392 5036bb4-5036c0b 2386->2392 2393 5036c8b-5036c9f 2386->2393 2517 5036c12-5036c44 2392->2517 2408 5036de5-5036df9 2393->2408 2409 5036ca5-5036d97 2393->2409 2419 5036dff-5036e4f 2408->2419 2420 503705c-5037070 2408->2420 2647 5036d9e 2409->2647 2411->2322 2538 5036e51-5036e77 2419->2538 2539 5036ebd-5036ee8 2419->2539 2430 5037076-5037111 call 5034278 * 2 2420->2430 2431 5037158-503715f 2420->2431 2430->2431 2452 5036402-5036411 2439->2452 2453 50364e5 2439->2453 2466 50364e7 2452->2466 2467 5036417-50364b5 2452->2467 2453->2316 2500 50364ec-5036534 2466->2500 2467->2500 2609 50364b7 2467->2609 2471->2411 2483 503660e 2471->2483 2472->2471 2483->2357 2500->2316 2517->2393 2534->2245 2606 5036e79-5036e92 2538->2606 2607 5036eb8 2538->2607 2612 5036fc6-5037057 2539->2612 2613 5036eee-5036fc1 2539->2613 2543->2249 2558->2257 2566->2265 2577->2240 2581->2270 2594->2276 2642 5036e99 2606->2642 2607->2420 2609->2439 2617 503536d 2610->2617 2611->2617 2612->2420 2613->2420 2614->2298 2616->2308 2617->2229 2642->2607 2647->2408 2674->2260 2675->2260
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $:@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-1526578642
                                                                                                  • Opcode ID: e5009a26b7426f657d89caa9d7d3972b4ad9263444bbe337c1af2c83abbba45b
                                                                                                  • Instruction ID: 882398a6e1ffed4a63f38cb4c536a5c6e9b4571d12cdea3fafa10b174b4b1d5a
                                                                                                  • Opcode Fuzzy Hash: e5009a26b7426f657d89caa9d7d3972b4ad9263444bbe337c1af2c83abbba45b
                                                                                                  • Instruction Fuzzy Hash: B6033B78A01228CFDB25EF25D854BADB7B2BF48308F0042E9D84967794DB315E86CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0503470F Relevance: 11.5, Strings: 8, Instructions: 1544COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 2676 503470f-5034821 2690 5034827-503492c 2676->2690 2691 503496f-5034983 2676->2691 2874 5034934 2690->2874 2692 50349d6-50349ea 2691->2692 2693 5034985-503498b call 5034210 2691->2693 2695 5034a32-5034a46 2692->2695 2696 50349ec-50349f7 2692->2696 2698 5034990-503499b 2693->2698 2699 5034b94-5034ba8 2695->2699 2700 5034a4c-5034b59 2695->2700 2696->2695 2698->2692 2702 5034cd4-5034ce8 2699->2702 2703 5034bae-5034bc2 2699->2703 2700->2699 2709 5034f74-5034f88 2702->2709 2710 5034cee-5034f2d 2702->2710 2706 5034bd0-5034be4 2703->2706 2707 5034bc4-5034bcb 2703->2707 2713 5034be6-5034bed 2706->2713 2714 5034bef-5034c03 2706->2714 2712 5034c48-5034c5c 2707->2712 2715 5034fe2-5034ff6 2709->2715 2716 5034f8a-5034f9b 2709->2716 2710->2709 2719 5034c76-5034c82 2712->2719 2720 5034c5e-5034c74 2712->2720 2713->2712 2722 5034c05-5034c0c 2714->2722 2723 5034c0e-5034c22 2714->2723 2717 5035045-5035059 2715->2717 2718 5034ff8-5034ffe 2715->2718 2716->2715 2729 50350a2-50350b6 2717->2729 2730 503505b 2717->2730 2718->2717 2728 5034c8d 2719->2728 2720->2728 2722->2712 2725 5034c24-5034c2b 2723->2725 2726 5034c2d-5034c41 2723->2726 2725->2712 2726->2712 2733 5034c43-5034c45 2726->2733 2728->2702 2735 50350b8-50350e1 2729->2735 2736 503512d-5035141 2729->2736 2730->2729 2733->2712 2735->2736 2740 5035147-5035363 2736->2740 2741 50353b4-50353c8 2736->2741 3114 5035367 2740->3114 3115 5035365 2740->3115 2745 503549e-50354b2 2741->2745 2746 50353ce-50353de 2741->2746 2749 50354b8-50355e7 2745->2749 2750 503566f-5035683 2745->2750 3178 50353e4 call 2801047 2746->3178 3179 50353e4 call 280106e 2746->3179 3081 50355f2-5035628 2749->3081 2753 50357e6-50357fa 2750->2753 2754 5035689-5035794 2750->2754 2758 5035800-503590b 2753->2758 2759 503595d-5035971 2753->2759 3038 503579f 2754->3038 3047 5035916 2758->3047 2767 5035977-5035a82 2759->2767 2768 5035ad4-5035ae8 2759->2768 3062 5035a8d 2767->3062 2773 5035c4b-5035c5f 2768->2773 2774 5035aee-5035bf9 2768->2774 2769 50353ea-5035450 2848 5035457 2769->2848 2779 5035dc2-5035dd6 2773->2779 2780 5035c65-5035d70 2773->2780 3070 5035c04 2774->3070 2786 5035f39-5035f4d 2779->2786 2787 5035ddc-5035ee7 2779->2787 3085 5035d7b 2780->3085 2790 5035f53-5036069 2786->2790 2791 50360b0-50360c4 2786->2791 3098 5035ef2 2787->3098 2790->2791 2804 5036227-503623b 2791->2804 2805 50360ca-50361d5 2791->2805 2813 5036241-503634c 2804->2813 2814 503639e-50363b2 2804->2814 3118 50361e0 2805->3118 3120 5036357 2813->3120 2821 5036536-503654a 2814->2821 2822 50363b8-50363fd call 5034278 2814->2822 2826 5036550-503656f 2821->2826 2827 503668d-50366a1 2821->2827 2943 50364bd-50364df 2822->2943 2861 5036614-5036636 2826->2861 2839 50366a7-50367a7 2827->2839 2840 50367ee-5036802 2827->2840 2839->2840 2845 5036808-5036908 2840->2845 2846 503694f-5036963 2840->2846 2845->2846 2858 5036ab0-5036ada 2846->2858 2859 5036969-5036a69 2846->2859 2848->2745 2889 5036ae0-5036b53 2858->2889 2890 5036b9a-5036bae 2858->2890 2859->2858 2872 5036574-5036583 2861->2872 2873 503663c 2861->2873 2882 5036589-50365bc 2872->2882 2883 503663e 2872->2883 2873->2827 2874->2691 2975 5036603-503660c 2882->2975 2976 50365be-50365f8 2882->2976 2915 5036643-503668b 2883->2915 2889->2890 2896 5036bb4-5036c0b 2890->2896 2897 5036c8b-5036c9f 2890->2897 3021 5036c12-5036c44 2896->3021 2912 5036de5-5036df9 2897->2912 2913 5036ca5-5036d97 2897->2913 2923 5036dff-5036e4f 2912->2923 2924 503705c-5037070 2912->2924 3151 5036d9e 2913->3151 2915->2827 3042 5036e51-5036e77 2923->3042 3043 5036ebd-5036ee8 2923->3043 2934 5037076-5037111 call 5034278 * 2 2924->2934 2935 5037158-503715f 2924->2935 2934->2935 2956 5036402-5036411 2943->2956 2957 50364e5 2943->2957 2970 50364e7 2956->2970 2971 5036417-50364b5 2956->2971 2957->2821 3004 50364ec-5036534 2970->3004 2971->3004 3113 50364b7 2971->3113 2975->2915 2987 503660e 2975->2987 2976->2975 2987->2861 3004->2821 3021->2897 3038->2753 3110 5036e79-5036e92 3042->3110 3111 5036eb8 3042->3111 3116 5036fc6-5037057 3043->3116 3117 5036eee-5036fc1 3043->3117 3047->2759 3062->2768 3070->2773 3081->2750 3085->2779 3098->2786 3146 5036e99 3110->3146 3111->2924 3113->2943 3121 503536d 3114->3121 3115->3121 3116->2924 3117->2924 3118->2804 3120->2814 3121->2741 3146->3111 3151->2912 3178->2769 3179->2769
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $:@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-1526578642
                                                                                                  • Opcode ID: 3c7d04e321edfad2acefc326c9e3a43f0b847fe667c6b4366af4e69a499a2909
                                                                                                  • Instruction ID: 5f3e9240085064c254efcb3b31a4b6bf0634dcac261595d092842d1594dc6080
                                                                                                  • Opcode Fuzzy Hash: 3c7d04e321edfad2acefc326c9e3a43f0b847fe667c6b4366af4e69a499a2909
                                                                                                  • Instruction Fuzzy Hash: F6F23A78A05228CFDB25EF25D854BADB7B2BF48308F0042E9D949A7794DB315E86CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050347D4 Relevance: 11.5, Strings: 8, Instructions: 1513COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 3180 50347d4-5034821 3187 5034827-503492c 3180->3187 3188 503496f-5034983 3180->3188 3371 5034934 3187->3371 3189 50349d6-50349ea 3188->3189 3190 5034985-503498b call 5034210 3188->3190 3192 5034a32-5034a46 3189->3192 3193 50349ec-50349f7 3189->3193 3195 5034990-503499b 3190->3195 3196 5034b94-5034ba8 3192->3196 3197 5034a4c-5034b59 3192->3197 3193->3192 3195->3189 3199 5034cd4-5034ce8 3196->3199 3200 5034bae-5034bc2 3196->3200 3197->3196 3206 5034f74-5034f88 3199->3206 3207 5034cee-5034f2d 3199->3207 3203 5034bd0-5034be4 3200->3203 3204 5034bc4-5034bcb 3200->3204 3210 5034be6-5034bed 3203->3210 3211 5034bef-5034c03 3203->3211 3209 5034c48-5034c5c 3204->3209 3212 5034fe2-5034ff6 3206->3212 3213 5034f8a-5034f9b 3206->3213 3207->3206 3216 5034c76-5034c82 3209->3216 3217 5034c5e-5034c74 3209->3217 3210->3209 3219 5034c05-5034c0c 3211->3219 3220 5034c0e-5034c22 3211->3220 3214 5035045-5035059 3212->3214 3215 5034ff8-5034ffe 3212->3215 3213->3212 3226 50350a2-50350b6 3214->3226 3227 503505b 3214->3227 3215->3214 3225 5034c8d 3216->3225 3217->3225 3219->3209 3222 5034c24-5034c2b 3220->3222 3223 5034c2d-5034c41 3220->3223 3222->3209 3223->3209 3230 5034c43-5034c45 3223->3230 3225->3199 3232 50350b8-50350e1 3226->3232 3233 503512d-5035141 3226->3233 3227->3226 3230->3209 3232->3233 3237 5035147-5035363 3233->3237 3238 50353b4-50353c8 3233->3238 3611 5035367 3237->3611 3612 5035365 3237->3612 3242 503549e-50354b2 3238->3242 3243 50353ce-50353de 3238->3243 3246 50354b8-50355e7 3242->3246 3247 503566f-5035683 3242->3247 3675 50353e4 call 2801047 3243->3675 3676 50353e4 call 280106e 3243->3676 3578 50355f2-5035628 3246->3578 3250 50357e6-50357fa 3247->3250 3251 5035689-5035794 3247->3251 3255 5035800-503590b 3250->3255 3256 503595d-5035971 3250->3256 3535 503579f 3251->3535 3544 5035916 3255->3544 3264 5035977-5035a82 3256->3264 3265 5035ad4-5035ae8 3256->3265 3559 5035a8d 3264->3559 3270 5035c4b-5035c5f 3265->3270 3271 5035aee-5035bf9 3265->3271 3266 50353ea-5035450 3345 5035457 3266->3345 3276 5035dc2-5035dd6 3270->3276 3277 5035c65-5035d70 3270->3277 3567 5035c04 3271->3567 3283 5035f39-5035f4d 3276->3283 3284 5035ddc-5035ee7 3276->3284 3582 5035d7b 3277->3582 3287 5035f53-5036069 3283->3287 3288 50360b0-50360c4 3283->3288 3595 5035ef2 3284->3595 3287->3288 3301 5036227-503623b 3288->3301 3302 50360ca-50361d5 3288->3302 3310 5036241-503634c 3301->3310 3311 503639e-50363b2 3301->3311 3615 50361e0 3302->3615 3617 5036357 3310->3617 3318 5036536-503654a 3311->3318 3319 50363b8-50363fd call 5034278 3311->3319 3323 5036550-503656f 3318->3323 3324 503668d-50366a1 3318->3324 3440 50364bd-50364df 3319->3440 3358 5036614-5036636 3323->3358 3336 50366a7-50367a7 3324->3336 3337 50367ee-5036802 3324->3337 3336->3337 3342 5036808-5036908 3337->3342 3343 503694f-5036963 3337->3343 3342->3343 3355 5036ab0-5036ada 3343->3355 3356 5036969-5036a69 3343->3356 3345->3242 3386 5036ae0-5036b53 3355->3386 3387 5036b9a-5036bae 3355->3387 3356->3355 3369 5036574-5036583 3358->3369 3370 503663c 3358->3370 3379 5036589-50365bc 3369->3379 3380 503663e 3369->3380 3370->3324 3371->3188 3472 5036603-503660c 3379->3472 3473 50365be-50365f8 3379->3473 3412 5036643-503668b 3380->3412 3386->3387 3393 5036bb4-5036c0b 3387->3393 3394 5036c8b-5036c9f 3387->3394 3518 5036c12-5036c44 3393->3518 3409 5036de5-5036df9 3394->3409 3410 5036ca5-5036d97 3394->3410 3420 5036dff-5036e4f 3409->3420 3421 503705c-5037070 3409->3421 3648 5036d9e 3410->3648 3412->3324 3539 5036e51-5036e77 3420->3539 3540 5036ebd-5036ee8 3420->3540 3431 5037076-5037111 call 5034278 * 2 3421->3431 3432 5037158-503715f 3421->3432 3431->3432 3453 5036402-5036411 3440->3453 3454 50364e5 3440->3454 3467 50364e7 3453->3467 3468 5036417-50364b5 3453->3468 3454->3318 3501 50364ec-5036534 3467->3501 3468->3501 3610 50364b7 3468->3610 3472->3412 3484 503660e 3472->3484 3473->3472 3484->3358 3501->3318 3518->3394 3535->3250 3607 5036e79-5036e92 3539->3607 3608 5036eb8 3539->3608 3613 5036fc6-5037057 3540->3613 3614 5036eee-5036fc1 3540->3614 3544->3256 3559->3265 3567->3270 3578->3247 3582->3276 3595->3283 3643 5036e99 3607->3643 3608->3421 3610->3440 3618 503536d 3611->3618 3612->3618 3613->3421 3614->3421 3615->3301 3617->3311 3618->3238 3643->3608 3648->3409 3675->3266 3676->3266
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $:@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-1526578642
                                                                                                  • Opcode ID: c82564043ea0a080eaa7dd3c956e0e18e7af8b66ecbb459426cf1c8588b5dad5
                                                                                                  • Instruction ID: 0475e8c6d436fd4e6722918c078480551202474483b1bed5a9a441dc56d8d708
                                                                                                  • Opcode Fuzzy Hash: c82564043ea0a080eaa7dd3c956e0e18e7af8b66ecbb459426cf1c8588b5dad5
                                                                                                  • Instruction Fuzzy Hash: 21F23A78A05228CFDB25EF25D854BADB7B2BF48308F0042E9D949A7794DB315E86CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05034936 Relevance: 11.5, Strings: 8, Instructions: 1456COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 3677 5034936-5034983 3684 50349d6-50349ea 3677->3684 3685 5034985-503498b call 5034210 3677->3685 3686 5034a32-5034a46 3684->3686 3687 50349ec-50349f7 3684->3687 3689 5034990-503499b 3685->3689 3690 5034b94-5034ba8 3686->3690 3691 5034a4c-5034b59 3686->3691 3687->3686 3689->3684 3692 5034cd4-5034ce8 3690->3692 3693 5034bae-5034bc2 3690->3693 3691->3690 3699 5034f74-5034f88 3692->3699 3700 5034cee-5034f2d 3692->3700 3696 5034bd0-5034be4 3693->3696 3697 5034bc4-5034bcb 3693->3697 3702 5034be6-5034bed 3696->3702 3703 5034bef-5034c03 3696->3703 3701 5034c48-5034c5c 3697->3701 3704 5034fe2-5034ff6 3699->3704 3705 5034f8a-5034f9b 3699->3705 3700->3699 3708 5034c76-5034c82 3701->3708 3709 5034c5e-5034c74 3701->3709 3702->3701 3711 5034c05-5034c0c 3703->3711 3712 5034c0e-5034c22 3703->3712 3706 5035045-5035059 3704->3706 3707 5034ff8-5034ffe 3704->3707 3705->3704 3718 50350a2-50350b6 3706->3718 3719 503505b 3706->3719 3707->3706 3717 5034c8d 3708->3717 3709->3717 3711->3701 3714 5034c24-5034c2b 3712->3714 3715 5034c2d-5034c41 3712->3715 3714->3701 3715->3701 3721 5034c43-5034c45 3715->3721 3717->3692 3723 50350b8-50350e1 3718->3723 3724 503512d-5035141 3718->3724 3719->3718 3721->3701 3723->3724 3728 5035147-5035363 3724->3728 3729 50353b4-50353c8 3724->3729 4092 5035367 3728->4092 4093 5035365 3728->4093 3732 503549e-50354b2 3729->3732 3733 50353ce-50353de 3729->3733 3736 50354b8-50355e7 3732->3736 3737 503566f-5035683 3732->3737 4156 50353e4 call 2801047 3733->4156 4157 50353e4 call 280106e 3733->4157 4059 50355f2-5035628 3736->4059 3739 50357e6-50357fa 3737->3739 3740 5035689-5035794 3737->3740 3744 5035800-503590b 3739->3744 3745 503595d-5035971 3739->3745 4016 503579f 3740->4016 4025 5035916 3744->4025 3752 5035977-5035a82 3745->3752 3753 5035ad4-5035ae8 3745->3753 4040 5035a8d 3752->4040 3757 5035c4b-5035c5f 3753->3757 3758 5035aee-5035bf9 3753->3758 3754 50353ea-5035450 3828 5035457 3754->3828 3763 5035dc2-5035dd6 3757->3763 3764 5035c65-5035d70 3757->3764 4048 5035c04 3758->4048 3769 5035f39-5035f4d 3763->3769 3770 5035ddc-5035ee7 3763->3770 4063 5035d7b 3764->4063 3774 5035f53-5036069 3769->3774 3775 50360b0-50360c4 3769->3775 4076 5035ef2 3770->4076 3774->3775 3786 5036227-503623b 3775->3786 3787 50360ca-50361d5 3775->3787 3795 5036241-503634c 3786->3795 3796 503639e-50363b2 3786->3796 4096 50361e0 3787->4096 4098 5036357 3795->4098 3802 5036536-503654a 3796->3802 3803 50363b8-50363fd call 5034278 3796->3803 3807 5036550-503656f 3802->3807 3808 503668d-50366a1 3802->3808 3921 50364bd-50364df 3803->3921 3840 5036614-5036636 3807->3840 3819 50366a7-50367a7 3808->3819 3820 50367ee-5036802 3808->3820 3819->3820 3825 5036808-5036908 3820->3825 3826 503694f-5036963 3820->3826 3825->3826 3837 5036ab0-5036ada 3826->3837 3838 5036969-5036a69 3826->3838 3828->3732 3867 5036ae0-5036b53 3837->3867 3868 5036b9a-5036bae 3837->3868 3838->3837 3851 5036574-5036583 3840->3851 3852 503663c 3840->3852 3860 5036589-50365bc 3851->3860 3861 503663e 3851->3861 3852->3808 3953 5036603-503660c 3860->3953 3954 50365be-50365f8 3860->3954 3893 5036643-503668b 3861->3893 3867->3868 3874 5036bb4-5036c0b 3868->3874 3875 5036c8b-5036c9f 3868->3875 3999 5036c12-5036c44 3874->3999 3890 5036de5-5036df9 3875->3890 3891 5036ca5-5036d97 3875->3891 3901 5036dff-5036e4f 3890->3901 3902 503705c-5037070 3890->3902 4129 5036d9e 3891->4129 3893->3808 4020 5036e51-5036e77 3901->4020 4021 5036ebd-5036ee8 3901->4021 3912 5037076-5037111 call 5034278 * 2 3902->3912 3913 5037158-503715f 3902->3913 3912->3913 3934 5036402-5036411 3921->3934 3935 50364e5 3921->3935 3948 50364e7 3934->3948 3949 5036417-50364b5 3934->3949 3935->3802 3982 50364ec-5036534 3948->3982 3949->3982 4091 50364b7 3949->4091 3953->3893 3965 503660e 3953->3965 3954->3953 3965->3840 3982->3802 3999->3875 4016->3739 4088 5036e79-5036e92 4020->4088 4089 5036eb8 4020->4089 4094 5036fc6-5037057 4021->4094 4095 5036eee-5036fc1 4021->4095 4025->3745 4040->3753 4048->3757 4059->3737 4063->3763 4076->3769 4124 5036e99 4088->4124 4089->3902 4091->3921 4099 503536d 4092->4099 4093->4099 4094->3902 4095->3902 4096->3786 4098->3796 4099->3729 4124->4089 4129->3890 4156->3754 4157->3754
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $:@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-1526578642
                                                                                                  • Opcode ID: 897374473460c3f96d30fac263f2a4f9d9908029d10d63d0a2fd738db2a9e2f1
                                                                                                  • Instruction ID: 61a0eb00f4df1bc55603e529efc619562b4cd395ea2c4ae47665d8ce8458c681
                                                                                                  • Opcode Fuzzy Hash: 897374473460c3f96d30fac263f2a4f9d9908029d10d63d0a2fd738db2a9e2f1
                                                                                                  • Instruction Fuzzy Hash: AEF23B78A05228CFDB25EF25D854BADB7B2BF48304F0042E9D949A7794DB319E86CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0503499D Relevance: 11.4, Strings: 8, Instructions: 1447COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 4158 503499d-50349ea 4165 5034a32-5034a46 4158->4165 4166 50349ec-50349f7 4158->4166 4167 5034b94-5034ba8 4165->4167 4168 5034a4c-5034b59 4165->4168 4166->4165 4169 5034cd4-5034ce8 4167->4169 4170 5034bae-5034bc2 4167->4170 4168->4167 4175 5034f74-5034f88 4169->4175 4176 5034cee-5034f2d 4169->4176 4172 5034bd0-5034be4 4170->4172 4173 5034bc4-5034bcb 4170->4173 4178 5034be6-5034bed 4172->4178 4179 5034bef-5034c03 4172->4179 4177 5034c48-5034c5c 4173->4177 4180 5034fe2-5034ff6 4175->4180 4181 5034f8a-5034f9b 4175->4181 4176->4175 4184 5034c76-5034c82 4177->4184 4185 5034c5e-5034c74 4177->4185 4178->4177 4187 5034c05-5034c0c 4179->4187 4188 5034c0e-5034c22 4179->4188 4182 5035045-5035059 4180->4182 4183 5034ff8-5034ffe 4180->4183 4181->4180 4194 50350a2-50350b6 4182->4194 4195 503505b 4182->4195 4183->4182 4193 5034c8d 4184->4193 4185->4193 4187->4177 4190 5034c24-5034c2b 4188->4190 4191 5034c2d-5034c41 4188->4191 4190->4177 4191->4177 4197 5034c43-5034c45 4191->4197 4193->4169 4199 50350b8-50350e1 4194->4199 4200 503512d-5035141 4194->4200 4195->4194 4197->4177 4199->4200 4204 5035147-5035363 4200->4204 4205 50353b4-50353c8 4200->4205 4568 5035367 4204->4568 4569 5035365 4204->4569 4208 503549e-50354b2 4205->4208 4209 50353ce-50353de 4205->4209 4212 50354b8-50355e7 4208->4212 4213 503566f-5035683 4208->4213 4632 50353e4 call 2801047 4209->4632 4633 50353e4 call 280106e 4209->4633 4535 50355f2-5035628 4212->4535 4215 50357e6-50357fa 4213->4215 4216 5035689-5035794 4213->4216 4220 5035800-503590b 4215->4220 4221 503595d-5035971 4215->4221 4492 503579f 4216->4492 4501 5035916 4220->4501 4228 5035977-5035a82 4221->4228 4229 5035ad4-5035ae8 4221->4229 4516 5035a8d 4228->4516 4233 5035c4b-5035c5f 4229->4233 4234 5035aee-5035bf9 4229->4234 4230 50353ea-5035450 4304 5035457 4230->4304 4239 5035dc2-5035dd6 4233->4239 4240 5035c65-5035d70 4233->4240 4524 5035c04 4234->4524 4245 5035f39-5035f4d 4239->4245 4246 5035ddc-5035ee7 4239->4246 4539 5035d7b 4240->4539 4250 5035f53-5036069 4245->4250 4251 50360b0-50360c4 4245->4251 4552 5035ef2 4246->4552 4250->4251 4262 5036227-503623b 4251->4262 4263 50360ca-50361d5 4251->4263 4271 5036241-503634c 4262->4271 4272 503639e-50363b2 4262->4272 4572 50361e0 4263->4572 4574 5036357 4271->4574 4278 5036536-503654a 4272->4278 4279 50363b8-50363fd call 5034278 4272->4279 4283 5036550-503656f 4278->4283 4284 503668d-50366a1 4278->4284 4397 50364bd-50364df 4279->4397 4316 5036614-5036636 4283->4316 4295 50366a7-50367a7 4284->4295 4296 50367ee-5036802 4284->4296 4295->4296 4301 5036808-5036908 4296->4301 4302 503694f-5036963 4296->4302 4301->4302 4313 5036ab0-5036ada 4302->4313 4314 5036969-5036a69 4302->4314 4304->4208 4343 5036ae0-5036b53 4313->4343 4344 5036b9a-5036bae 4313->4344 4314->4313 4327 5036574-5036583 4316->4327 4328 503663c 4316->4328 4336 5036589-50365bc 4327->4336 4337 503663e 4327->4337 4328->4284 4429 5036603-503660c 4336->4429 4430 50365be-50365f8 4336->4430 4369 5036643-503668b 4337->4369 4343->4344 4350 5036bb4-5036c0b 4344->4350 4351 5036c8b-5036c9f 4344->4351 4475 5036c12-5036c44 4350->4475 4366 5036de5-5036df9 4351->4366 4367 5036ca5-5036d97 4351->4367 4377 5036dff-5036e4f 4366->4377 4378 503705c-5037070 4366->4378 4605 5036d9e 4367->4605 4369->4284 4496 5036e51-5036e77 4377->4496 4497 5036ebd-5036ee8 4377->4497 4388 5037076-5037111 call 5034278 * 2 4378->4388 4389 5037158-503715f 4378->4389 4388->4389 4410 5036402-5036411 4397->4410 4411 50364e5 4397->4411 4424 50364e7 4410->4424 4425 5036417-50364b5 4410->4425 4411->4278 4458 50364ec-5036534 4424->4458 4425->4458 4567 50364b7 4425->4567 4429->4369 4441 503660e 4429->4441 4430->4429 4441->4316 4458->4278 4475->4351 4492->4215 4564 5036e79-5036e92 4496->4564 4565 5036eb8 4496->4565 4570 5036fc6-5037057 4497->4570 4571 5036eee-5036fc1 4497->4571 4501->4221 4516->4229 4524->4233 4535->4213 4539->4239 4552->4245 4600 5036e99 4564->4600 4565->4378 4567->4397 4575 503536d 4568->4575 4569->4575 4570->4378 4571->4378 4572->4262 4574->4272 4575->4205 4600->4565 4605->4366 4632->4230 4633->4230
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $:@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-1526578642
                                                                                                  • Opcode ID: 7ae8c48224e221deef30e91c968e31d36269b2c06ef1ab8599f0e67ec565b7b2
                                                                                                  • Instruction ID: a571e166038b0c1f0bb1329e8463a9757b1d4c343f1aa7607be192f493b47bef
                                                                                                  • Opcode Fuzzy Hash: 7ae8c48224e221deef30e91c968e31d36269b2c06ef1ab8599f0e67ec565b7b2
                                                                                                  • Instruction Fuzzy Hash: 3EF23B78A05228CFDB25EF25D854BADB7B2BF48304F0042E9D949A7794DB319E86CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050349F9 Relevance: 11.4, Strings: 8, Instructions: 1440COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 4634 50349f9-5034a46 4641 5034b94-5034ba8 4634->4641 4642 5034a4c-5034b59 4634->4642 4643 5034cd4-5034ce8 4641->4643 4644 5034bae-5034bc2 4641->4644 4642->4641 4648 5034f74-5034f88 4643->4648 4649 5034cee-5034f2d 4643->4649 4645 5034bd0-5034be4 4644->4645 4646 5034bc4-5034bcb 4644->4646 4651 5034be6-5034bed 4645->4651 4652 5034bef-5034c03 4645->4652 4650 5034c48-5034c5c 4646->4650 4653 5034fe2-5034ff6 4648->4653 4654 5034f8a-5034f9b 4648->4654 4649->4648 4657 5034c76-5034c82 4650->4657 4658 5034c5e-5034c74 4650->4658 4651->4650 4660 5034c05-5034c0c 4652->4660 4661 5034c0e-5034c22 4652->4661 4655 5035045-5035059 4653->4655 4656 5034ff8-5034ffe 4653->4656 4654->4653 4667 50350a2-50350b6 4655->4667 4668 503505b 4655->4668 4656->4655 4666 5034c8d 4657->4666 4658->4666 4660->4650 4663 5034c24-5034c2b 4661->4663 4664 5034c2d-5034c41 4661->4664 4663->4650 4664->4650 4670 5034c43-5034c45 4664->4670 4666->4643 4672 50350b8-50350e1 4667->4672 4673 503512d-5035141 4667->4673 4668->4667 4670->4650 4672->4673 4677 5035147-5035363 4673->4677 4678 50353b4-50353c8 4673->4678 5041 5035367 4677->5041 5042 5035365 4677->5042 4681 503549e-50354b2 4678->4681 4682 50353ce-50353de 4678->4682 4685 50354b8-50355e7 4681->4685 4686 503566f-5035683 4681->4686 5105 50353e4 call 2801047 4682->5105 5106 50353e4 call 280106e 4682->5106 5008 50355f2-5035628 4685->5008 4688 50357e6-50357fa 4686->4688 4689 5035689-5035794 4686->4689 4693 5035800-503590b 4688->4693 4694 503595d-5035971 4688->4694 4965 503579f 4689->4965 4974 5035916 4693->4974 4701 5035977-5035a82 4694->4701 4702 5035ad4-5035ae8 4694->4702 4989 5035a8d 4701->4989 4706 5035c4b-5035c5f 4702->4706 4707 5035aee-5035bf9 4702->4707 4703 50353ea-5035450 4777 5035457 4703->4777 4712 5035dc2-5035dd6 4706->4712 4713 5035c65-5035d70 4706->4713 4997 5035c04 4707->4997 4718 5035f39-5035f4d 4712->4718 4719 5035ddc-5035ee7 4712->4719 5012 5035d7b 4713->5012 4723 5035f53-5036069 4718->4723 4724 50360b0-50360c4 4718->4724 5025 5035ef2 4719->5025 4723->4724 4735 5036227-503623b 4724->4735 4736 50360ca-50361d5 4724->4736 4744 5036241-503634c 4735->4744 4745 503639e-50363b2 4735->4745 5045 50361e0 4736->5045 5047 5036357 4744->5047 4751 5036536-503654a 4745->4751 4752 50363b8-50363fd call 5034278 4745->4752 4756 5036550-503656f 4751->4756 4757 503668d-50366a1 4751->4757 4870 50364bd-50364df 4752->4870 4789 5036614-5036636 4756->4789 4768 50366a7-50367a7 4757->4768 4769 50367ee-5036802 4757->4769 4768->4769 4774 5036808-5036908 4769->4774 4775 503694f-5036963 4769->4775 4774->4775 4786 5036ab0-5036ada 4775->4786 4787 5036969-5036a69 4775->4787 4777->4681 4816 5036ae0-5036b53 4786->4816 4817 5036b9a-5036bae 4786->4817 4787->4786 4800 5036574-5036583 4789->4800 4801 503663c 4789->4801 4809 5036589-50365bc 4800->4809 4810 503663e 4800->4810 4801->4757 4902 5036603-503660c 4809->4902 4903 50365be-50365f8 4809->4903 4842 5036643-503668b 4810->4842 4816->4817 4823 5036bb4-5036c0b 4817->4823 4824 5036c8b-5036c9f 4817->4824 4948 5036c12-5036c44 4823->4948 4839 5036de5-5036df9 4824->4839 4840 5036ca5-5036d97 4824->4840 4850 5036dff-5036e4f 4839->4850 4851 503705c-5037070 4839->4851 5078 5036d9e 4840->5078 4842->4757 4969 5036e51-5036e77 4850->4969 4970 5036ebd-5036ee8 4850->4970 4861 5037076-5037111 call 5034278 * 2 4851->4861 4862 5037158-503715f 4851->4862 4861->4862 4883 5036402-5036411 4870->4883 4884 50364e5 4870->4884 4897 50364e7 4883->4897 4898 5036417-50364b5 4883->4898 4884->4751 4931 50364ec-5036534 4897->4931 4898->4931 5040 50364b7 4898->5040 4902->4842 4914 503660e 4902->4914 4903->4902 4914->4789 4931->4751 4948->4824 4965->4688 5037 5036e79-5036e92 4969->5037 5038 5036eb8 4969->5038 5043 5036fc6-5037057 4970->5043 5044 5036eee-5036fc1 4970->5044 4974->4694 4989->4702 4997->4706 5008->4686 5012->4712 5025->4718 5073 5036e99 5037->5073 5038->4851 5040->4870 5048 503536d 5041->5048 5042->5048 5043->4851 5044->4851 5045->4735 5047->4745 5048->4678 5073->5038 5078->4839 5105->4703 5106->4703
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $:@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-1526578642
                                                                                                  • Opcode ID: 0c25bc778e505fae381def4b6fc5dae0ce1d362fbffbb06db1a54246369a08f3
                                                                                                  • Instruction ID: 2ab62d813ce2b0869f0957b76034a2826153ce30aea1e62891d2b2fa87fe225c
                                                                                                  • Opcode Fuzzy Hash: 0c25bc778e505fae381def4b6fc5dae0ce1d362fbffbb06db1a54246369a08f3
                                                                                                  • Instruction Fuzzy Hash: 2BF23B78A05228CFDB25EF25D854BADB7B2BF48304F0042E9D949A7794DB319E86CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05034B5B Relevance: 11.4, Strings: 8, Instructions: 1383COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 5107 5034b5b-5034ba8 5114 5034cd4-5034ce8 5107->5114 5115 5034bae-5034bc2 5107->5115 5118 5034f74-5034f88 5114->5118 5119 5034cee-5034f2d 5114->5119 5116 5034bd0-5034be4 5115->5116 5117 5034bc4-5034bcb 5115->5117 5121 5034be6-5034bed 5116->5121 5122 5034bef-5034c03 5116->5122 5120 5034c48-5034c5c 5117->5120 5123 5034fe2-5034ff6 5118->5123 5124 5034f8a-5034f9b 5118->5124 5119->5118 5127 5034c76-5034c82 5120->5127 5128 5034c5e-5034c74 5120->5128 5121->5120 5129 5034c05-5034c0c 5122->5129 5130 5034c0e-5034c22 5122->5130 5125 5035045-5035059 5123->5125 5126 5034ff8-5034ffe 5123->5126 5124->5123 5136 50350a2-50350b6 5125->5136 5137 503505b 5125->5137 5126->5125 5135 5034c8d 5127->5135 5128->5135 5129->5120 5132 5034c24-5034c2b 5130->5132 5133 5034c2d-5034c41 5130->5133 5132->5120 5133->5120 5139 5034c43-5034c45 5133->5139 5135->5114 5141 50350b8-50350e1 5136->5141 5142 503512d-5035141 5136->5142 5137->5136 5139->5120 5141->5142 5145 5035147-5035363 5142->5145 5146 50353b4-50353c8 5142->5146 5498 5035367 5145->5498 5499 5035365 5145->5499 5148 503549e-50354b2 5146->5148 5149 50353ce-50353de 5146->5149 5152 50354b8-50355e7 5148->5152 5153 503566f-5035683 5148->5153 5562 50353e4 call 2801047 5149->5562 5563 50353e4 call 280106e 5149->5563 5465 50355f2-5035628 5152->5465 5154 50357e6-50357fa 5153->5154 5155 5035689-5035794 5153->5155 5159 5035800-503590b 5154->5159 5160 503595d-5035971 5154->5160 5422 503579f 5155->5422 5431 5035916 5159->5431 5166 5035977-5035a82 5160->5166 5167 5035ad4-5035ae8 5160->5167 5446 5035a8d 5166->5446 5171 5035c4b-5035c5f 5167->5171 5172 5035aee-5035bf9 5167->5172 5168 50353ea-5035450 5238 5035457 5168->5238 5176 5035dc2-5035dd6 5171->5176 5177 5035c65-5035d70 5171->5177 5454 5035c04 5172->5454 5182 5035f39-5035f4d 5176->5182 5183 5035ddc-5035ee7 5176->5183 5469 5035d7b 5177->5469 5187 5035f53-5036069 5182->5187 5188 50360b0-50360c4 5182->5188 5482 5035ef2 5183->5482 5187->5188 5197 5036227-503623b 5188->5197 5198 50360ca-50361d5 5188->5198 5206 5036241-503634c 5197->5206 5207 503639e-50363b2 5197->5207 5502 50361e0 5198->5502 5504 5036357 5206->5504 5213 5036536-503654a 5207->5213 5214 50363b8-50363fd call 5034278 5207->5214 5218 5036550-503656f 5213->5218 5219 503668d-50366a1 5213->5219 5327 50364bd-50364df 5214->5327 5249 5036614-5036636 5218->5249 5229 50366a7-50367a7 5219->5229 5230 50367ee-5036802 5219->5230 5229->5230 5235 5036808-5036908 5230->5235 5236 503694f-5036963 5230->5236 5235->5236 5246 5036ab0-5036ada 5236->5246 5247 5036969-5036a69 5236->5247 5238->5148 5274 5036ae0-5036b53 5246->5274 5275 5036b9a-5036bae 5246->5275 5247->5246 5260 5036574-5036583 5249->5260 5261 503663c 5249->5261 5268 5036589-50365bc 5260->5268 5269 503663e 5260->5269 5261->5219 5359 5036603-503660c 5268->5359 5360 50365be-50365f8 5268->5360 5299 5036643-503668b 5269->5299 5274->5275 5281 5036bb4-5036c0b 5275->5281 5282 5036c8b-5036c9f 5275->5282 5405 5036c12-5036c44 5281->5405 5296 5036de5-5036df9 5282->5296 5297 5036ca5-5036d97 5282->5297 5307 5036dff-5036e4f 5296->5307 5308 503705c-5037070 5296->5308 5535 5036d9e 5297->5535 5299->5219 5426 5036e51-5036e77 5307->5426 5427 5036ebd-5036ee8 5307->5427 5318 5037076-5037111 call 5034278 * 2 5308->5318 5319 5037158-503715f 5308->5319 5318->5319 5340 5036402-5036411 5327->5340 5341 50364e5 5327->5341 5354 50364e7 5340->5354 5355 5036417-50364b5 5340->5355 5341->5213 5388 50364ec-5036534 5354->5388 5355->5388 5497 50364b7 5355->5497 5359->5299 5371 503660e 5359->5371 5360->5359 5371->5249 5388->5213 5405->5282 5422->5154 5494 5036e79-5036e92 5426->5494 5495 5036eb8 5426->5495 5500 5036fc6-5037057 5427->5500 5501 5036eee-5036fc1 5427->5501 5431->5160 5446->5167 5454->5171 5465->5153 5469->5176 5482->5182 5530 5036e99 5494->5530 5495->5308 5497->5327 5505 503536d 5498->5505 5499->5505 5500->5308 5501->5308 5502->5197 5504->5207 5505->5146 5530->5495 5535->5296 5562->5168 5563->5168
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $:@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-1526578642
                                                                                                  • Opcode ID: 076a3dbb56a5f8435f9182e88f98f17a7f2a289d1a8858fe17f7aff7cf03e79b
                                                                                                  • Instruction ID: e454dc617a5a7c8b6dc5c99cdc357b6d9e42cfef3addecaeefa4612a75b8639e
                                                                                                  • Opcode Fuzzy Hash: 076a3dbb56a5f8435f9182e88f98f17a7f2a289d1a8858fe17f7aff7cf03e79b
                                                                                                  • Instruction Fuzzy Hash: 2AE23B78A05228CFDB25EF25D854BADB7B2BF48304F0042E9D949A7794DB319E86CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05034C8F Relevance: 10.1, Strings: 7, Instructions: 1362COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 5564 5034c8f-5034ce8 5571 5034f74-5034f88 5564->5571 5572 5034cee-5034f2d 5564->5572 5573 5034fe2-5034ff6 5571->5573 5574 5034f8a-5034f9b 5571->5574 5572->5571 5575 5035045-5035059 5573->5575 5576 5034ff8-5034ffe 5573->5576 5574->5573 5579 50350a2-50350b6 5575->5579 5580 503505b 5575->5580 5576->5575 5583 50350b8-50350e1 5579->5583 5584 503512d-5035141 5579->5584 5580->5579 5583->5584 5586 5035147-5035363 5584->5586 5587 50353b4-50353c8 5584->5587 5939 5035367 5586->5939 5940 5035365 5586->5940 5589 503549e-50354b2 5587->5589 5590 50353ce-50353de 5587->5590 5593 50354b8-50355e7 5589->5593 5594 503566f-5035683 5589->5594 6003 50353e4 call 2801047 5590->6003 6004 50353e4 call 280106e 5590->6004 5906 50355f2-5035628 5593->5906 5595 50357e6-50357fa 5594->5595 5596 5035689-5035794 5594->5596 5600 5035800-503590b 5595->5600 5601 503595d-5035971 5595->5601 5863 503579f 5596->5863 5872 5035916 5600->5872 5607 5035977-5035a82 5601->5607 5608 5035ad4-5035ae8 5601->5608 5887 5035a8d 5607->5887 5612 5035c4b-5035c5f 5608->5612 5613 5035aee-5035bf9 5608->5613 5609 50353ea-5035450 5679 5035457 5609->5679 5617 5035dc2-5035dd6 5612->5617 5618 5035c65-5035d70 5612->5618 5895 5035c04 5613->5895 5623 5035f39-5035f4d 5617->5623 5624 5035ddc-5035ee7 5617->5624 5910 5035d7b 5618->5910 5628 5035f53-5036069 5623->5628 5629 50360b0-50360c4 5623->5629 5923 5035ef2 5624->5923 5628->5629 5638 5036227-503623b 5629->5638 5639 50360ca-50361d5 5629->5639 5647 5036241-503634c 5638->5647 5648 503639e-50363b2 5638->5648 5943 50361e0 5639->5943 5945 5036357 5647->5945 5654 5036536-503654a 5648->5654 5655 50363b8-50363fd call 5034278 5648->5655 5659 5036550-503656f 5654->5659 5660 503668d-50366a1 5654->5660 5768 50364bd-50364df 5655->5768 5690 5036614-5036636 5659->5690 5670 50366a7-50367a7 5660->5670 5671 50367ee-5036802 5660->5671 5670->5671 5676 5036808-5036908 5671->5676 5677 503694f-5036963 5671->5677 5676->5677 5687 5036ab0-5036ada 5677->5687 5688 5036969-5036a69 5677->5688 5679->5589 5715 5036ae0-5036b53 5687->5715 5716 5036b9a-5036bae 5687->5716 5688->5687 5701 5036574-5036583 5690->5701 5702 503663c 5690->5702 5709 5036589-50365bc 5701->5709 5710 503663e 5701->5710 5702->5660 5800 5036603-503660c 5709->5800 5801 50365be-50365f8 5709->5801 5740 5036643-503668b 5710->5740 5715->5716 5722 5036bb4-5036c0b 5716->5722 5723 5036c8b-5036c9f 5716->5723 5846 5036c12-5036c44 5722->5846 5737 5036de5-5036df9 5723->5737 5738 5036ca5-5036d97 5723->5738 5748 5036dff-5036e4f 5737->5748 5749 503705c-5037070 5737->5749 5976 5036d9e 5738->5976 5740->5660 5867 5036e51-5036e77 5748->5867 5868 5036ebd-5036ee8 5748->5868 5759 5037076-5037111 call 5034278 * 2 5749->5759 5760 5037158-503715f 5749->5760 5759->5760 5781 5036402-5036411 5768->5781 5782 50364e5 5768->5782 5795 50364e7 5781->5795 5796 5036417-50364b5 5781->5796 5782->5654 5829 50364ec-5036534 5795->5829 5796->5829 5938 50364b7 5796->5938 5800->5740 5812 503660e 5800->5812 5801->5800 5812->5690 5829->5654 5846->5723 5863->5595 5935 5036e79-5036e92 5867->5935 5936 5036eb8 5867->5936 5941 5036fc6-5037057 5868->5941 5942 5036eee-5036fc1 5868->5942 5872->5601 5887->5608 5895->5612 5906->5594 5910->5617 5923->5623 5971 5036e99 5935->5971 5936->5749 5938->5768 5946 503536d 5939->5946 5940->5946 5941->5749 5942->5749 5943->5638 5945->5648 5946->5587 5971->5936 5976->5737 6003->5609 6004->5609
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l$:@ l$:@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-2995624938
                                                                                                  • Opcode ID: cbe0c858078bd34d8bc6cceaa4e95836cf9f6b84715d1064519aeb14f23f7162
                                                                                                  • Instruction ID: 93f1e438b729eafaa4bd530ef1878bac2cbe894092f83220a6049dab487b6314
                                                                                                  • Opcode Fuzzy Hash: cbe0c858078bd34d8bc6cceaa4e95836cf9f6b84715d1064519aeb14f23f7162
                                                                                                  • Instruction Fuzzy Hash: C2E23B78A01228CFDB25EF25D854BADB7B2BF48304F0042E9D949A7794DB319E86CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05034F2F Relevance: 6.2, Strings: 4, Instructions: 1245COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 6005 5034f2f-5034f88 6012 5034fe2-5034ff6 6005->6012 6013 5034f8a-5034f9b 6005->6013 6014 5035045-5035059 6012->6014 6015 5034ff8-5034ffe 6012->6015 6013->6012 6017 50350a2-50350b6 6014->6017 6018 503505b 6014->6018 6015->6014 6020 50350b8-50350e1 6017->6020 6021 503512d-5035141 6017->6021 6018->6017 6020->6021 6023 5035147-5035363 6021->6023 6024 50353b4-50353c8 6021->6024 6359 5035367 6023->6359 6360 5035365 6023->6360 6025 503549e-50354b2 6024->6025 6026 50353ce-50353de 6024->6026 6029 50354b8-50355e7 6025->6029 6030 503566f-5035683 6025->6030 6410 50353e4 call 2801047 6026->6410 6411 50353e4 call 280106e 6026->6411 6328 50355f2-5035628 6029->6328 6031 50357e6-50357fa 6030->6031 6032 5035689-5035794 6030->6032 6035 5035800-503590b 6031->6035 6036 503595d-5035971 6031->6036 6282 503579f 6032->6282 6293 5035916 6035->6293 6041 5035977-5035a82 6036->6041 6042 5035ad4-5035ae8 6036->6042 6305 5035a8d 6041->6305 6046 5035c4b-5035c5f 6042->6046 6047 5035aee-5035bf9 6042->6047 6043 50353ea-5035450 6109 5035457 6043->6109 6051 5035dc2-5035dd6 6046->6051 6052 5035c65-5035d70 6046->6052 6315 5035c04 6047->6315 6056 5035f39-5035f4d 6051->6056 6057 5035ddc-5035ee7 6051->6057 6326 5035d7b 6052->6326 6061 5035f53-5036069 6056->6061 6062 50360b0-50360c4 6056->6062 6342 5035ef2 6057->6342 6061->6062 6070 5036227-503623b 6062->6070 6071 50360ca-50361d5 6062->6071 6078 5036241-503634c 6070->6078 6079 503639e-50363b2 6070->6079 6361 50361e0 6071->6361 6365 5036357 6078->6365 6085 5036536-503654a 6079->6085 6086 50363b8-50363fd call 5034278 6079->6086 6090 5036550-503656f 6085->6090 6091 503668d-50366a1 6085->6091 6194 50364bd-50364df 6086->6194 6119 5036614-5036636 6090->6119 6100 50366a7-50367a7 6091->6100 6101 50367ee-5036802 6091->6101 6100->6101 6106 5036808-5036908 6101->6106 6107 503694f-5036963 6101->6107 6106->6107 6116 5036ab0-5036ada 6107->6116 6117 5036969-5036a69 6107->6117 6109->6025 6143 5036ae0-5036b53 6116->6143 6144 5036b9a-5036bae 6116->6144 6117->6116 6130 5036574-5036583 6119->6130 6131 503663c 6119->6131 6137 5036589-50365bc 6130->6137 6138 503663e 6130->6138 6131->6091 6225 5036603-503660c 6137->6225 6226 50365be-50365f8 6137->6226 6167 5036643-503668b 6138->6167 6143->6144 6150 5036bb4-5036c0b 6144->6150 6151 5036c8b-5036c9f 6144->6151 6271 5036c12-5036c44 6150->6271 6164 5036de5-5036df9 6151->6164 6165 5036ca5-5036d97 6151->6165 6175 5036dff-5036e4f 6164->6175 6176 503705c-5037070 6164->6176 6389 5036d9e 6165->6389 6167->6091 6288 5036e51-5036e77 6175->6288 6289 5036ebd-5036ee8 6175->6289 6185 5037076-5037111 call 5034278 * 2 6176->6185 6186 5037158-503715f 6176->6186 6185->6186 6206 5036402-5036411 6194->6206 6207 50364e5 6194->6207 6220 50364e7 6206->6220 6221 5036417-50364b5 6206->6221 6207->6085 6252 50364ec-5036534 6220->6252 6221->6252 6356 50364b7 6221->6356 6225->6167 6238 503660e 6225->6238 6226->6225 6238->6119 6252->6085 6271->6151 6282->6031 6354 5036e79-5036e92 6288->6354 6355 5036eb8 6288->6355 6357 5036fc6-5037057 6289->6357 6358 5036eee-5036fc1 6289->6358 6293->6036 6305->6042 6315->6046 6326->6051 6328->6030 6342->6056 6386 5036e99 6354->6386 6355->6176 6356->6194 6357->6176 6358->6176 6362 503536d 6359->6362 6360->6362 6361->6070 6362->6024 6365->6079 6386->6355 6389->6164 6410->6043 6411->6043
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-967788400
                                                                                                  • Opcode ID: a39ad81b6830724c1f5147f8f47626f0bc46c3538c395a1a11affdc6acca2e4e
                                                                                                  • Instruction ID: 21eb88875771a302dbf0f84cd4856305af700313fe52d5e126ec43b0459e78ab
                                                                                                  • Opcode Fuzzy Hash: a39ad81b6830724c1f5147f8f47626f0bc46c3538c395a1a11affdc6acca2e4e
                                                                                                  • Instruction Fuzzy Hash: 61D23978A05228CFDB25EF25D854BADB7B2BF48304F0042E9D849A7794DB319E86CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05034F9D Relevance: 6.2, Strings: 4, Instructions: 1236COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 6412 5034f9d-5034ff6 6419 5035045-5035059 6412->6419 6420 5034ff8-5034ffe 6412->6420 6421 50350a2-50350b6 6419->6421 6422 503505b 6419->6422 6420->6419 6424 50350b8-50350e1 6421->6424 6425 503512d-5035141 6421->6425 6422->6421 6424->6425 6426 5035147-5035363 6425->6426 6427 50353b4-50353c8 6425->6427 6762 5035367 6426->6762 6763 5035365 6426->6763 6428 503549e-50354b2 6427->6428 6429 50353ce-50353de 6427->6429 6432 50354b8-50355e7 6428->6432 6433 503566f-5035683 6428->6433 6813 50353e4 call 2801047 6429->6813 6814 50353e4 call 280106e 6429->6814 6731 50355f2-5035628 6432->6731 6434 50357e6-50357fa 6433->6434 6435 5035689-5035794 6433->6435 6438 5035800-503590b 6434->6438 6439 503595d-5035971 6434->6439 6685 503579f 6435->6685 6696 5035916 6438->6696 6444 5035977-5035a82 6439->6444 6445 5035ad4-5035ae8 6439->6445 6708 5035a8d 6444->6708 6449 5035c4b-5035c5f 6445->6449 6450 5035aee-5035bf9 6445->6450 6446 50353ea-5035450 6512 5035457 6446->6512 6454 5035dc2-5035dd6 6449->6454 6455 5035c65-5035d70 6449->6455 6718 5035c04 6450->6718 6459 5035f39-5035f4d 6454->6459 6460 5035ddc-5035ee7 6454->6460 6729 5035d7b 6455->6729 6464 5035f53-5036069 6459->6464 6465 50360b0-50360c4 6459->6465 6745 5035ef2 6460->6745 6464->6465 6473 5036227-503623b 6465->6473 6474 50360ca-50361d5 6465->6474 6481 5036241-503634c 6473->6481 6482 503639e-50363b2 6473->6482 6764 50361e0 6474->6764 6768 5036357 6481->6768 6488 5036536-503654a 6482->6488 6489 50363b8-50363fd call 5034278 6482->6489 6493 5036550-503656f 6488->6493 6494 503668d-50366a1 6488->6494 6597 50364bd-50364df 6489->6597 6522 5036614-5036636 6493->6522 6503 50366a7-50367a7 6494->6503 6504 50367ee-5036802 6494->6504 6503->6504 6509 5036808-5036908 6504->6509 6510 503694f-5036963 6504->6510 6509->6510 6519 5036ab0-5036ada 6510->6519 6520 5036969-5036a69 6510->6520 6512->6428 6546 5036ae0-5036b53 6519->6546 6547 5036b9a-5036bae 6519->6547 6520->6519 6533 5036574-5036583 6522->6533 6534 503663c 6522->6534 6540 5036589-50365bc 6533->6540 6541 503663e 6533->6541 6534->6494 6628 5036603-503660c 6540->6628 6629 50365be-50365f8 6540->6629 6570 5036643-503668b 6541->6570 6546->6547 6553 5036bb4-5036c0b 6547->6553 6554 5036c8b-5036c9f 6547->6554 6674 5036c12-5036c44 6553->6674 6567 5036de5-5036df9 6554->6567 6568 5036ca5-5036d97 6554->6568 6578 5036dff-5036e4f 6567->6578 6579 503705c-5037070 6567->6579 6792 5036d9e 6568->6792 6570->6494 6691 5036e51-5036e77 6578->6691 6692 5036ebd-5036ee8 6578->6692 6588 5037076-5037111 call 5034278 * 2 6579->6588 6589 5037158-503715f 6579->6589 6588->6589 6609 5036402-5036411 6597->6609 6610 50364e5 6597->6610 6623 50364e7 6609->6623 6624 5036417-50364b5 6609->6624 6610->6488 6655 50364ec-5036534 6623->6655 6624->6655 6759 50364b7 6624->6759 6628->6570 6641 503660e 6628->6641 6629->6628 6641->6522 6655->6488 6674->6554 6685->6434 6757 5036e79-5036e92 6691->6757 6758 5036eb8 6691->6758 6760 5036fc6-5037057 6692->6760 6761 5036eee-5036fc1 6692->6761 6696->6439 6708->6445 6718->6449 6729->6454 6731->6433 6745->6459 6789 5036e99 6757->6789 6758->6579 6759->6597 6760->6579 6761->6579 6765 503536d 6762->6765 6763->6765 6764->6473 6765->6427 6768->6482 6789->6758 6792->6567 6813->6446 6814->6446
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-967788400
                                                                                                  • Opcode ID: f32f1885e40f084ae2c069d54a5801db877a7e394321255c19944a86d98a34bb
                                                                                                  • Instruction ID: 9b7e1867c5f4a63de50631bc97bd60fe9512deb19ca5d114a58285a9764feaa3
                                                                                                  • Opcode Fuzzy Hash: f32f1885e40f084ae2c069d54a5801db877a7e394321255c19944a86d98a34bb
                                                                                                  • Instruction Fuzzy Hash: FDD22978A05228CFDB25EF25D854BADB7B2BF48304F0042E9D849A7794DB319E86CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05035000 Relevance: 6.2, Strings: 4, Instructions: 1230COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 6815 5035000-5035059 6822 50350a2-50350b6 6815->6822 6823 503505b 6815->6823 6824 50350b8-50350e1 6822->6824 6825 503512d-5035141 6822->6825 6823->6822 6824->6825 6826 5035147-5035363 6825->6826 6827 50353b4-50353c8 6825->6827 7162 5035367 6826->7162 7163 5035365 6826->7163 6828 503549e-50354b2 6827->6828 6829 50353ce-50353de 6827->6829 6832 50354b8-50355e7 6828->6832 6833 503566f-5035683 6828->6833 7213 50353e4 call 2801047 6829->7213 7214 50353e4 call 280106e 6829->7214 7131 50355f2-5035628 6832->7131 6834 50357e6-50357fa 6833->6834 6835 5035689-5035794 6833->6835 6838 5035800-503590b 6834->6838 6839 503595d-5035971 6834->6839 7085 503579f 6835->7085 7096 5035916 6838->7096 6844 5035977-5035a82 6839->6844 6845 5035ad4-5035ae8 6839->6845 7108 5035a8d 6844->7108 6849 5035c4b-5035c5f 6845->6849 6850 5035aee-5035bf9 6845->6850 6846 50353ea-5035450 6912 5035457 6846->6912 6854 5035dc2-5035dd6 6849->6854 6855 5035c65-5035d70 6849->6855 7118 5035c04 6850->7118 6859 5035f39-5035f4d 6854->6859 6860 5035ddc-5035ee7 6854->6860 7129 5035d7b 6855->7129 6864 5035f53-5036069 6859->6864 6865 50360b0-50360c4 6859->6865 7145 5035ef2 6860->7145 6864->6865 6873 5036227-503623b 6865->6873 6874 50360ca-50361d5 6865->6874 6881 5036241-503634c 6873->6881 6882 503639e-50363b2 6873->6882 7164 50361e0 6874->7164 7168 5036357 6881->7168 6888 5036536-503654a 6882->6888 6889 50363b8-50363fd call 5034278 6882->6889 6893 5036550-503656f 6888->6893 6894 503668d-50366a1 6888->6894 6997 50364bd-50364df 6889->6997 6922 5036614-5036636 6893->6922 6903 50366a7-50367a7 6894->6903 6904 50367ee-5036802 6894->6904 6903->6904 6909 5036808-5036908 6904->6909 6910 503694f-5036963 6904->6910 6909->6910 6919 5036ab0-5036ada 6910->6919 6920 5036969-5036a69 6910->6920 6912->6828 6946 5036ae0-5036b53 6919->6946 6947 5036b9a-5036bae 6919->6947 6920->6919 6933 5036574-5036583 6922->6933 6934 503663c 6922->6934 6940 5036589-50365bc 6933->6940 6941 503663e 6933->6941 6934->6894 7028 5036603-503660c 6940->7028 7029 50365be-50365f8 6940->7029 6970 5036643-503668b 6941->6970 6946->6947 6953 5036bb4-5036c0b 6947->6953 6954 5036c8b-5036c9f 6947->6954 7074 5036c12-5036c44 6953->7074 6967 5036de5-5036df9 6954->6967 6968 5036ca5-5036d97 6954->6968 6978 5036dff-5036e4f 6967->6978 6979 503705c-5037070 6967->6979 7192 5036d9e 6968->7192 6970->6894 7091 5036e51-5036e77 6978->7091 7092 5036ebd-5036ee8 6978->7092 6988 5037076-5037111 call 5034278 * 2 6979->6988 6989 5037158-503715f 6979->6989 6988->6989 7009 5036402-5036411 6997->7009 7010 50364e5 6997->7010 7023 50364e7 7009->7023 7024 5036417-50364b5 7009->7024 7010->6888 7055 50364ec-5036534 7023->7055 7024->7055 7159 50364b7 7024->7159 7028->6970 7041 503660e 7028->7041 7029->7028 7041->6922 7055->6888 7074->6954 7085->6834 7157 5036e79-5036e92 7091->7157 7158 5036eb8 7091->7158 7160 5036fc6-5037057 7092->7160 7161 5036eee-5036fc1 7092->7161 7096->6839 7108->6845 7118->6849 7129->6854 7131->6833 7145->6859 7189 5036e99 7157->7189 7158->6979 7159->6997 7160->6979 7161->6979 7165 503536d 7162->7165 7163->7165 7164->6873 7165->6827 7168->6882 7189->7158 7192->6967 7213->6846 7214->6846
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-967788400
                                                                                                  • Opcode ID: 4e2801291229f28270116f7a700e1bbe8b0a2aae804173980f44e494297d7e74
                                                                                                  • Instruction ID: 3b359545dfd26ceff79b5422d921bd922d4333b06b5391bd328a646f3fe66aa6
                                                                                                  • Opcode Fuzzy Hash: 4e2801291229f28270116f7a700e1bbe8b0a2aae804173980f44e494297d7e74
                                                                                                  • Instruction Fuzzy Hash: B1D23978A01228CFDB25EF25D854BADB7B2BF48304F0042E9D849A7794DB319E86CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0503505D Relevance: 6.2, Strings: 4, Instructions: 1225COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 7215 503505d-50350b6 7222 50350b8-50350e1 7215->7222 7223 503512d-5035141 7215->7223 7222->7223 7224 5035147-5035363 7223->7224 7225 50353b4-50353c8 7223->7225 7560 5035367 7224->7560 7561 5035365 7224->7561 7226 503549e-50354b2 7225->7226 7227 50353ce-50353de 7225->7227 7230 50354b8-50355e7 7226->7230 7231 503566f-5035683 7226->7231 7611 50353e4 call 2801047 7227->7611 7612 50353e4 call 280106e 7227->7612 7529 50355f2-5035628 7230->7529 7232 50357e6-50357fa 7231->7232 7233 5035689-5035794 7231->7233 7236 5035800-503590b 7232->7236 7237 503595d-5035971 7232->7237 7483 503579f 7233->7483 7494 5035916 7236->7494 7242 5035977-5035a82 7237->7242 7243 5035ad4-5035ae8 7237->7243 7506 5035a8d 7242->7506 7247 5035c4b-5035c5f 7243->7247 7248 5035aee-5035bf9 7243->7248 7244 50353ea-5035450 7310 5035457 7244->7310 7252 5035dc2-5035dd6 7247->7252 7253 5035c65-5035d70 7247->7253 7516 5035c04 7248->7516 7257 5035f39-5035f4d 7252->7257 7258 5035ddc-5035ee7 7252->7258 7527 5035d7b 7253->7527 7262 5035f53-5036069 7257->7262 7263 50360b0-50360c4 7257->7263 7543 5035ef2 7258->7543 7262->7263 7271 5036227-503623b 7263->7271 7272 50360ca-50361d5 7263->7272 7279 5036241-503634c 7271->7279 7280 503639e-50363b2 7271->7280 7562 50361e0 7272->7562 7566 5036357 7279->7566 7286 5036536-503654a 7280->7286 7287 50363b8-50363fd call 5034278 7280->7287 7291 5036550-503656f 7286->7291 7292 503668d-50366a1 7286->7292 7395 50364bd-50364df 7287->7395 7320 5036614-5036636 7291->7320 7301 50366a7-50367a7 7292->7301 7302 50367ee-5036802 7292->7302 7301->7302 7307 5036808-5036908 7302->7307 7308 503694f-5036963 7302->7308 7307->7308 7317 5036ab0-5036ada 7308->7317 7318 5036969-5036a69 7308->7318 7310->7226 7344 5036ae0-5036b53 7317->7344 7345 5036b9a-5036bae 7317->7345 7318->7317 7331 5036574-5036583 7320->7331 7332 503663c 7320->7332 7338 5036589-50365bc 7331->7338 7339 503663e 7331->7339 7332->7292 7426 5036603-503660c 7338->7426 7427 50365be-50365f8 7338->7427 7368 5036643-503668b 7339->7368 7344->7345 7351 5036bb4-5036c0b 7345->7351 7352 5036c8b-5036c9f 7345->7352 7472 5036c12-5036c44 7351->7472 7365 5036de5-5036df9 7352->7365 7366 5036ca5-5036d97 7352->7366 7376 5036dff-5036e4f 7365->7376 7377 503705c-5037070 7365->7377 7590 5036d9e 7366->7590 7368->7292 7489 5036e51-5036e77 7376->7489 7490 5036ebd-5036ee8 7376->7490 7386 5037076-5037111 call 5034278 * 2 7377->7386 7387 5037158-503715f 7377->7387 7386->7387 7407 5036402-5036411 7395->7407 7408 50364e5 7395->7408 7421 50364e7 7407->7421 7422 5036417-50364b5 7407->7422 7408->7286 7453 50364ec-5036534 7421->7453 7422->7453 7557 50364b7 7422->7557 7426->7368 7439 503660e 7426->7439 7427->7426 7439->7320 7453->7286 7472->7352 7483->7232 7555 5036e79-5036e92 7489->7555 7556 5036eb8 7489->7556 7558 5036fc6-5037057 7490->7558 7559 5036eee-5036fc1 7490->7559 7494->7237 7506->7243 7516->7247 7527->7252 7529->7231 7543->7257 7587 5036e99 7555->7587 7556->7377 7557->7395 7558->7377 7559->7377 7563 503536d 7560->7563 7561->7563 7562->7271 7563->7225 7566->7280 7587->7556 7590->7365 7611->7244 7612->7244
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-967788400
                                                                                                  • Opcode ID: 18a9bddd6e27120ae667800c0c443d10353daf21dcc5c4340f278290f8c2c4a4
                                                                                                  • Instruction ID: f36eb45388a5759be562992f8f935b2c980aee66f8fac7fc50db4554600ccad0
                                                                                                  • Opcode Fuzzy Hash: 18a9bddd6e27120ae667800c0c443d10353daf21dcc5c4340f278290f8c2c4a4
                                                                                                  • Instruction Fuzzy Hash: 72D22978A01228CFDB25EF25D854BADB7B2BF49304F0042E9D849A7794DB319E86CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050350E3 Relevance: 6.2, Strings: 4, Instructions: 1210COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 7613 50350e3-5035141 7621 5035147-5035363 7613->7621 7622 50353b4-50353c8 7613->7622 7954 5035367 7621->7954 7955 5035365 7621->7955 7623 503549e-50354b2 7622->7623 7624 50353ce-50353de 7622->7624 7626 50354b8-50355e7 7623->7626 7627 503566f-5035683 7623->7627 8005 50353e4 call 2801047 7624->8005 8006 50353e4 call 280106e 7624->8006 7923 50355f2-5035628 7626->7923 7628 50357e6-50357fa 7627->7628 7629 5035689-5035794 7627->7629 7631 5035800-503590b 7628->7631 7632 503595d-5035971 7628->7632 7877 503579f 7629->7877 7888 5035916 7631->7888 7636 5035977-5035a82 7632->7636 7637 5035ad4-5035ae8 7632->7637 7900 5035a8d 7636->7900 7641 5035c4b-5035c5f 7637->7641 7642 5035aee-5035bf9 7637->7642 7638 50353ea-5035450 7704 5035457 7638->7704 7646 5035dc2-5035dd6 7641->7646 7647 5035c65-5035d70 7641->7647 7910 5035c04 7642->7910 7651 5035f39-5035f4d 7646->7651 7652 5035ddc-5035ee7 7646->7652 7921 5035d7b 7647->7921 7656 5035f53-5036069 7651->7656 7657 50360b0-50360c4 7651->7657 7937 5035ef2 7652->7937 7656->7657 7665 5036227-503623b 7657->7665 7666 50360ca-50361d5 7657->7666 7673 5036241-503634c 7665->7673 7674 503639e-50363b2 7665->7674 7956 50361e0 7666->7956 7960 5036357 7673->7960 7680 5036536-503654a 7674->7680 7681 50363b8-50363fd call 5034278 7674->7681 7685 5036550-503656f 7680->7685 7686 503668d-50366a1 7680->7686 7789 50364bd-50364df 7681->7789 7714 5036614-5036636 7685->7714 7695 50366a7-50367a7 7686->7695 7696 50367ee-5036802 7686->7696 7695->7696 7701 5036808-5036908 7696->7701 7702 503694f-5036963 7696->7702 7701->7702 7711 5036ab0-5036ada 7702->7711 7712 5036969-5036a69 7702->7712 7704->7623 7738 5036ae0-5036b53 7711->7738 7739 5036b9a-5036bae 7711->7739 7712->7711 7725 5036574-5036583 7714->7725 7726 503663c 7714->7726 7732 5036589-50365bc 7725->7732 7733 503663e 7725->7733 7726->7686 7820 5036603-503660c 7732->7820 7821 50365be-50365f8 7732->7821 7762 5036643-503668b 7733->7762 7738->7739 7745 5036bb4-5036c0b 7739->7745 7746 5036c8b-5036c9f 7739->7746 7866 5036c12-5036c44 7745->7866 7759 5036de5-5036df9 7746->7759 7760 5036ca5-5036d97 7746->7760 7770 5036dff-5036e4f 7759->7770 7771 503705c-5037070 7759->7771 7984 5036d9e 7760->7984 7762->7686 7883 5036e51-5036e77 7770->7883 7884 5036ebd-5036ee8 7770->7884 7780 5037076-5037111 call 5034278 * 2 7771->7780 7781 5037158-503715f 7771->7781 7780->7781 7801 5036402-5036411 7789->7801 7802 50364e5 7789->7802 7815 50364e7 7801->7815 7816 5036417-50364b5 7801->7816 7802->7680 7847 50364ec-5036534 7815->7847 7816->7847 7951 50364b7 7816->7951 7820->7762 7833 503660e 7820->7833 7821->7820 7833->7714 7847->7680 7866->7746 7877->7628 7949 5036e79-5036e92 7883->7949 7950 5036eb8 7883->7950 7952 5036fc6-5037057 7884->7952 7953 5036eee-5036fc1 7884->7953 7888->7632 7900->7637 7910->7641 7921->7646 7923->7627 7937->7651 7981 5036e99 7949->7981 7950->7771 7951->7789 7952->7771 7953->7771 7957 503536d 7954->7957 7955->7957 7956->7665 7957->7622 7960->7674 7981->7950 7984->7759 8005->7638 8006->7638
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-967788400
                                                                                                  • Opcode ID: e961be3e5616b49354569ebedb5f9d60165ac2ed770549f21a4a417b94dd84a1
                                                                                                  • Instruction ID: 129be50d68dc177bab1db4220680e76cea4725aeff47f5b32e1a151ffa0650f3
                                                                                                  • Opcode Fuzzy Hash: e961be3e5616b49354569ebedb5f9d60165ac2ed770549f21a4a417b94dd84a1
                                                                                                  • Instruction Fuzzy Hash: 47D22978A01228CFDB25EF25D854BADB7B2BF48304F0042E9D849A7795DB319E86CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0503536F Relevance: 6.1, Strings: 4, Instructions: 1071COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l$\OGl$2Gl
                                                                                                  • API String ID: 0-967788400
                                                                                                  • Opcode ID: 559fa734a9febc295810b8cae980ff4db62e8eec4c236cd52532a5fff2f4ac39
                                                                                                  • Instruction ID: f8c3f4b2456d2814f9f453a321ab44113be3b76a991725160d5c929069afeff9
                                                                                                  • Opcode Fuzzy Hash: 559fa734a9febc295810b8cae980ff4db62e8eec4c236cd52532a5fff2f4ac39
                                                                                                  • Instruction Fuzzy Hash: 36C20578A01228CFDB25EF25D854BADB7B2BF48308F1042E9D94967794DB319E86CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05035459 Relevance: 4.8, Strings: 3, Instructions: 1040COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l$\OGl
                                                                                                  • API String ID: 0-116880224
                                                                                                  • Opcode ID: 3845b63ea94e793d0dbb31d1dbf9cd4753c44033d0abc81b26884d5112a259ba
                                                                                                  • Instruction ID: 7b4d349161e4fb6d3984e2fbfcab4335ec1c7a0ee30dcb858034f1d6b2fd456e
                                                                                                  • Opcode Fuzzy Hash: 3845b63ea94e793d0dbb31d1dbf9cd4753c44033d0abc81b26884d5112a259ba
                                                                                                  • Instruction Fuzzy Hash: 14C20578A01228CFDB25EF25D854BADB7B2BF48304F1042E9D94967794DB329E86CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272BD17 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0272BD97
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AdjustPrivilegesToken
                                                                                                  • String ID:
                                                                                                  • API String ID: 2874748243-0
                                                                                                  • Opcode ID: c228c864fef21f090b234ab3e3685b2ba16476c3fe0a7e06850e662e432c8e37
                                                                                                  • Instruction ID: c822b7589d5539470803d27bcd4f6ab4a315042163addad8278625d24f5ad02f
                                                                                                  • Opcode Fuzzy Hash: c228c864fef21f090b234ab3e3685b2ba16476c3fe0a7e06850e662e432c8e37
                                                                                                  • Instruction Fuzzy Hash: AA21BF76509384AFDB128F25DC40B92BFF8EF06314F0884DAE9858B163D3719918DB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F0006 Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtQuerySystemInformation.NTDLL ref: 059F006D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InformationQuerySystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 3562636166-0
                                                                                                  • Opcode ID: 90e101da21966bf4f65e86a4326ce0037ae1e47ab7fba01c37c8f8f18aaaafbd
                                                                                                  • Instruction ID: d15b592cfac9c7fb3e18e5ab73a50c424cb2381c4b217cce6891f9a09c7b0bd6
                                                                                                  • Opcode Fuzzy Hash: 90e101da21966bf4f65e86a4326ce0037ae1e47ab7fba01c37c8f8f18aaaafbd
                                                                                                  • Instruction Fuzzy Hash: 3411B271408780AFD7228F15DC45F62FFB4EF06320F09849AED854B263D265A958CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272BD4E Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0272BD97
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AdjustPrivilegesToken
                                                                                                  • String ID:
                                                                                                  • API String ID: 2874748243-0
                                                                                                  • Opcode ID: 6c450507b79671ae75df946d0e5e0e3f240f2e73623777740ef378bd0f96f72e
                                                                                                  • Instruction ID: 0617c4a7f2a7b113765cc0fac3166c66b27562037abdec9ec88e9acf04385a8b
                                                                                                  • Opcode Fuzzy Hash: 6c450507b79671ae75df946d0e5e0e3f240f2e73623777740ef378bd0f96f72e
                                                                                                  • Instruction Fuzzy Hash: 451182765006449FDB20CF56D884BA6FBE8EF04724F08C4AADD868B662D375E418DF71
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F0032 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtQuerySystemInformation.NTDLL ref: 059F006D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InformationQuerySystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 3562636166-0
                                                                                                  • Opcode ID: 75fbbef87c025eac6648aee8d201bb6cbbc4589d2c57c1744da4f3a40c983b67
                                                                                                  • Instruction ID: 1160d503367254bf8d224810330ecac950de019467b64b8a147a844bb36d5175
                                                                                                  • Opcode Fuzzy Hash: 75fbbef87c025eac6648aee8d201bb6cbbc4589d2c57c1744da4f3a40c983b67
                                                                                                  • Instruction Fuzzy Hash: A0012C75400640DFEB20CF55D888B65FBA9FF08624F08C49ADE4A4A666E375A419CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050300B8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl$2Gl$5]fj^$E]fj^
                                                                                                  • API String ID: 0-1280032203
                                                                                                  • Opcode ID: 2ee2e612cb300f74c2c257b26b98d51215b8a7a3279b622360c37a21d40003ec
                                                                                                  • Instruction ID: a99482cbe08dc7e1a72ebbf609535e072de9614d28b9ae3f5b519a95fd732dad
                                                                                                  • Opcode Fuzzy Hash: 2ee2e612cb300f74c2c257b26b98d51215b8a7a3279b622360c37a21d40003ec
                                                                                                  • Instruction Fuzzy Hash: D931F434B043505FD706EBB19C11BAE7B679BC6218F04856ED4419B782CF358C0A87E2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05030118 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl$2Gl$5]fj^$E]fj^
                                                                                                  • API String ID: 0-1280032203
                                                                                                  • Opcode ID: 71e2425041c818d26ae4a5663c426aa996762768355f242278554c2e16552e33
                                                                                                  • Instruction ID: b1932dd14eed5d6e06b3adefbaf867f123687cd87585a9f35b32900f2d3fa8a5
                                                                                                  • Opcode Fuzzy Hash: 71e2425041c818d26ae4a5663c426aa996762768355f242278554c2e16552e33
                                                                                                  • Instruction Fuzzy Hash: 55114434B042600BC31AE7B5A810FFA77579BC6208744852ED441DFB46CF7ACC0A83E6
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05037B28 Relevance: 3.7, Strings: 2, Instructions: 1238COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l
                                                                                                  • API String ID: 0-3469574050
                                                                                                  • Opcode ID: 07527005ee815e148203267a134bdbf6d1a949061715ccb75fb2396c0032ae13
                                                                                                  • Instruction ID: 6a10d5d0e650089b35566b46fcbd020a9d78f65a1b8ab2f3bcdd1a3f9c240963
                                                                                                  • Opcode Fuzzy Hash: 07527005ee815e148203267a134bdbf6d1a949061715ccb75fb2396c0032ae13
                                                                                                  • Instruction Fuzzy Hash: 7AB2AF38B00364DFEF109B7AE8117BD7BB6AB4C704F008296A84593794DB358E86DF60
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05037BA4 Relevance: 3.6, Strings: 2, Instructions: 1079COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l
                                                                                                  • API String ID: 0-3469574050
                                                                                                  • Opcode ID: a3c98f11dc342713d2a3c026a1191b995b7b5111db93df88f1a34c98a6717480
                                                                                                  • Instruction ID: 07ddd87cc7db1830c2e5703624471b20327eb8f92bc491e5236f61e7fd899a8d
                                                                                                  • Opcode Fuzzy Hash: a3c98f11dc342713d2a3c026a1191b995b7b5111db93df88f1a34c98a6717480
                                                                                                  • Instruction Fuzzy Hash: 6F92B238B00364EFEF159B7AE8117BD77ABAB8C704F008196A44593794DB358E86DF60
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05037BDE Relevance: 3.6, Strings: 2, Instructions: 1076COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l
                                                                                                  • API String ID: 0-3469574050
                                                                                                  • Opcode ID: 7f25877596d7806c2db4d5cb6ce1817cff005880b42289d4212b5f42bc39c4e5
                                                                                                  • Instruction ID: de8254a8f2cbcc6b1079661f6ea7d690d2e2ce24dbdd22ae59d9d5a646b93845
                                                                                                  • Opcode Fuzzy Hash: 7f25877596d7806c2db4d5cb6ce1817cff005880b42289d4212b5f42bc39c4e5
                                                                                                  • Instruction Fuzzy Hash: 8A92B138B00364EFEF159B7AE8117BD77ABAB8C704F008196A44593794DB358E86DF60
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05037C0D Relevance: 3.6, Strings: 2, Instructions: 1075COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$:@ l
                                                                                                  • API String ID: 0-3469574050
                                                                                                  • Opcode ID: cfabe4813a38f1483bc6580c330e146a917d6f92b182bdd0d8923891a109a2ed
                                                                                                  • Instruction ID: e0357672f48f8f773873db8bd9b97e7f351d8bf48df9308dfeffb28e6678ec88
                                                                                                  • Opcode Fuzzy Hash: cfabe4813a38f1483bc6580c330e146a917d6f92b182bdd0d8923891a109a2ed
                                                                                                  • Instruction Fuzzy Hash: 3F92B238B00364EFEF159B7AE8117BD77ABAB8C704F008196A44593794DB358E86DF60
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0503562A Relevance: 3.5, Strings: 2, Instructions: 963COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: 7340da2cc12ee4e88a631da6c20ed2fb34f1d326592f164095cea38f8a6b2346
                                                                                                  • Instruction ID: 17e9b89ffc71fb7b09438a2bfaacc1e6387b7b889661caeba8f79240635fd5ed
                                                                                                  • Opcode Fuzzy Hash: 7340da2cc12ee4e88a631da6c20ed2fb34f1d326592f164095cea38f8a6b2346
                                                                                                  • Instruction Fuzzy Hash: 22B20578A01228CFDB25EF21D854BADB7B2BF49304F1042E9D909A7794DB319E86CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050357A1 Relevance: 3.4, Strings: 2, Instructions: 906COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: be5fd8c6b43d3055a742f9ace42e5b21a5a0654900278dc955c55ff9859368d3
                                                                                                  • Instruction ID: dc980a48f89577660506ea46efed9efeffb3926a38ae07dbc57ab35ebebf0338
                                                                                                  • Opcode Fuzzy Hash: be5fd8c6b43d3055a742f9ace42e5b21a5a0654900278dc955c55ff9859368d3
                                                                                                  • Instruction Fuzzy Hash: 5FA21578A01228CFDB25EF25D854BADB7B6BF49304F0042E9D909A7794DB319E86CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05035918 Relevance: 3.3, Strings: 2, Instructions: 849COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: 60ec5ec6f4917603f2ca22bfe8619052478944db105b5835c48f2951ce3e3861
                                                                                                  • Instruction ID: 437ee89407c8cb52a1cf7f210b5e2cbc4feb9278feeae2b41c21bb23d3c25d67
                                                                                                  • Opcode Fuzzy Hash: 60ec5ec6f4917603f2ca22bfe8619052478944db105b5835c48f2951ce3e3861
                                                                                                  • Instruction Fuzzy Hash: 4E920678A01228CFDB25EF25D854BADB7B6BF49304F1042E9D909A7794DB319E86CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05035A8F Relevance: 3.3, Strings: 2, Instructions: 792COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: 62fd462d4bbb9ff046b29747250f56bd61cfd9f270d93b2c6c63872b26864856
                                                                                                  • Instruction ID: c85f6b3eb5b99ac1b36fab034b0e1fd40067e3a689cc85221cdc9062f032633d
                                                                                                  • Opcode Fuzzy Hash: 62fd462d4bbb9ff046b29747250f56bd61cfd9f270d93b2c6c63872b26864856
                                                                                                  • Instruction Fuzzy Hash: 1E921678A01228CFDB25EF25D854BADB7B6BF49304F1042E9D909A7794DB319E86CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05035C06 Relevance: 3.2, Strings: 2, Instructions: 735COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: 2657e5a788ee11b9149704bd3e86891849276c5ef0eca81c641abcc5a4e096f8
                                                                                                  • Instruction ID: 6c858875ffaeb59c66295c74d3c38c0199eaecedc5258bf0cde8686489988d72
                                                                                                  • Opcode Fuzzy Hash: 2657e5a788ee11b9149704bd3e86891849276c5ef0eca81c641abcc5a4e096f8
                                                                                                  • Instruction Fuzzy Hash: 01820778A01228CFDB25EF25D854BADB7B6BF49304F1042E9D909A7794DB319E86CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05035D7D Relevance: 3.2, Strings: 2, Instructions: 678COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: 5fa043db3202a01205f40d68bafdffbf357f82e1dab4f59c6d78b37724e3650e
                                                                                                  • Instruction ID: 09ecae42c6348c562bb75a3571906e6e98f520876e921327e66515567c9f2236
                                                                                                  • Opcode Fuzzy Hash: 5fa043db3202a01205f40d68bafdffbf357f82e1dab4f59c6d78b37724e3650e
                                                                                                  • Instruction Fuzzy Hash: 12720778A01228CFDB25EF25D854BACB7B6BF49304F1042E9D909A7795DB319E86CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05035EF4 Relevance: 3.1, Strings: 2, Instructions: 621COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: a8e78d1843b67e16dd95451660dff53aa24636a4b1868fb04b956fcfc7399686
                                                                                                  • Instruction ID: be33e7eabc22aff05c4f36009204dc8a2928041dc65c56f9aebb86c33d3eabbd
                                                                                                  • Opcode Fuzzy Hash: a8e78d1843b67e16dd95451660dff53aa24636a4b1868fb04b956fcfc7399686
                                                                                                  • Instruction Fuzzy Hash: A3620878A01228CFDB25EF25D854BACB7B6BF49304F1042E9D909A7795DB319E86CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0503606B Relevance: 3.1, Strings: 2, Instructions: 564COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: a7501b6df065c456731c12d6f67ad8ede25709b00bdb9f19a102397ab2f171db
                                                                                                  • Instruction ID: dd562916a5e0a303f67b95e7370397692c5ca37a786348cfef873235e5a2c710
                                                                                                  • Opcode Fuzzy Hash: a7501b6df065c456731c12d6f67ad8ede25709b00bdb9f19a102397ab2f171db
                                                                                                  • Instruction Fuzzy Hash: DC520978A01228CFDB25EF25D854BACB7B6BF49305F1042E9D909A7395DB319E86CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050361E2 Relevance: 3.0, Strings: 2, Instructions: 507COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: b11ff7c751869ea25b97f79102f2012744e26fa024729f3c441467e59b712cff
                                                                                                  • Instruction ID: e2bd74c110acb65b248b3813af976432515e8b8bc8ddcf49e31bf16854eb84ee
                                                                                                  • Opcode Fuzzy Hash: b11ff7c751869ea25b97f79102f2012744e26fa024729f3c441467e59b712cff
                                                                                                  • Instruction Fuzzy Hash: 27420C78A01228CFDB25EF25D854BACB7B6BF49305F1042E9D909A7394DB319E86CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05033803 Relevance: 3.0, Strings: 2, Instructions: 495COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: \OGl$2Gl
                                                                                                  • API String ID: 0-915996941
                                                                                                  • Opcode ID: 0409c3f27c106f84798e6174a1211e2b4613eb609814d768f6d3d5f5bb0bf7d8
                                                                                                  • Instruction ID: a65ab93b8837b561ab478a72ce106b893966544c42ee962d4c0a35806f8ba8a3
                                                                                                  • Opcode Fuzzy Hash: 0409c3f27c106f84798e6174a1211e2b4613eb609814d768f6d3d5f5bb0bf7d8
                                                                                                  • Instruction Fuzzy Hash: 3E322634A00228CFDB14EF75D895BEDB7B2AF49308F1045A9D40AAB794DB359E86CF50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05036359 Relevance: 3.0, Strings: 2, Instructions: 450COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: cb9922f2c1433a185cda24e5ec3d6dc94135ce323da83fbfad8aacf85fc5864e
                                                                                                  • Instruction ID: d732729a80ce4498c46ac0c7eba666c5887d54db5c53e5f9397798fbbbbf47d9
                                                                                                  • Opcode Fuzzy Hash: cb9922f2c1433a185cda24e5ec3d6dc94135ce323da83fbfad8aacf85fc5864e
                                                                                                  • Instruction Fuzzy Hash: BF321D78A01224CFDB25EF25D954BACB7B5BF49305F1082E9D909A7395DB319E86CF00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05036483 Relevance: 2.9, Strings: 2, Instructions: 427COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: 44247d186b72f61fd01d3049c47d95458e2def61f51a4d49625049f6f3b7082d
                                                                                                  • Instruction ID: 0172f63e7217c1e7abb58373f78afd0c114309ccb4d6e273ae7796c755c4896f
                                                                                                  • Opcode Fuzzy Hash: 44247d186b72f61fd01d3049c47d95458e2def61f51a4d49625049f6f3b7082d
                                                                                                  • Instruction Fuzzy Hash: C9220C78A01228CFDB25EF25D954BA8B7B5FF49305F1082E9D909A7395DB319E86CF00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050367A9 Relevance: 2.8, Strings: 2, Instructions: 343COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: 000d90b4d3d9f88ec5dd40ca421883ebeffb09daaa5792d7b80cbd73f0c074ec
                                                                                                  • Instruction ID: bc75e4911b740c23aafe0f28a3a0ff4303ee63323a2ee6e60a8c782519a611b9
                                                                                                  • Opcode Fuzzy Hash: 000d90b4d3d9f88ec5dd40ca421883ebeffb09daaa5792d7b80cbd73f0c074ec
                                                                                                  • Instruction Fuzzy Hash: FD020978A01228CFDB25EF25D854BADB7B6BF49305F1042E9D949A7394DB319E86CF00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0503690A Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: 87d897844341822bf42c38ac44e8bdd9bb418e7764f24766fa144d8f086356ce
                                                                                                  • Instruction ID: 249168a06c3612096cb9687ed9610cef0ea6cce160e9a1ad2c8bc2a3b8083cba
                                                                                                  • Opcode Fuzzy Hash: 87d897844341822bf42c38ac44e8bdd9bb418e7764f24766fa144d8f086356ce
                                                                                                  • Instruction Fuzzy Hash: 8ED11978A012248FDB25EF25D854BADB7B6BF49304F5042E9D909A7394DB319E86CF00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05036A6B Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l$\OGl
                                                                                                  • API String ID: 0-4049628448
                                                                                                  • Opcode ID: 639aa0c0659b96e75ef1a89e617d45c1c550f2d56332fe11bc2e470e73f206a2
                                                                                                  • Instruction ID: 915985e28abe69cef88d270580c2d89ccae5efbb713e7e3630c0797da44167dc
                                                                                                  • Opcode Fuzzy Hash: 639aa0c0659b96e75ef1a89e617d45c1c550f2d56332fe11bc2e470e73f206a2
                                                                                                  • Instruction Fuzzy Hash: 82B15D74A012288FDB24EF35D851BADB7B6BF49308F5042E9D509AB390DB359E86CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0503724F Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: L.Gl
                                                                                                  • API String ID: 0-963225538
                                                                                                  • Opcode ID: 5b604574a7ede7965b1c2867f5702e42ba2588638dde9d20d815a65edf41815a
                                                                                                  • Instruction ID: a2c421e397570d859a6b2c5c5159b571405b0f82610e72b2df49d94fe753bd22
                                                                                                  • Opcode Fuzzy Hash: 5b604574a7ede7965b1c2867f5702e42ba2588638dde9d20d815a65edf41815a
                                                                                                  • Instruction Fuzzy Hash: 90C1DE70B002158FDB15EB75D451BBEB7E6EF88208F648138D416DB781EB38D94ACBA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F1323 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 059F13EA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3660427363-0
                                                                                                  • Opcode ID: d436d3c79955843543fd967c0c749ba667421a8d03eb1c51600c53a1064a7d3a
                                                                                                  • Instruction ID: c52816b0c5a984e3bc959cbe76185a325e836883714f20f97af5e26418f74a3c
                                                                                                  • Opcode Fuzzy Hash: d436d3c79955843543fd967c0c749ba667421a8d03eb1c51600c53a1064a7d3a
                                                                                                  • Instruction Fuzzy Hash: CE319C7110E3C0AFD3138B258C61A61BFB5EF47610B1E45CBD8C48F6A3D229A819D7B2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B126 Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0272B1D1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Open
                                                                                                  • String ID:
                                                                                                  • API String ID: 71445658-0
                                                                                                  • Opcode ID: 53f116c108a31ae2b4af529f1b00578a902682f886076b9d2640e56c5c6c2a2a
                                                                                                  • Instruction ID: 7b8066d21a2c192eb9c6fb968c4ce9e80b84b9001eff199813268de70b0cd1f8
                                                                                                  • Opcode Fuzzy Hash: 53f116c108a31ae2b4af529f1b00578a902682f886076b9d2640e56c5c6c2a2a
                                                                                                  • Instruction Fuzzy Hash: DC3170714093846FD7228B618C45FA7BFBCEF06614F18859BE9848B553D364E50DCB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F1F50 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • getaddrinfo.WS2_32(?,00000E24), ref: 059F2017
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: getaddrinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 300660673-0
                                                                                                  • Opcode ID: 3141f6051a4a148cf47d8cab3d1104780eb0e21fbc5a5ae47b1daa424b81108d
                                                                                                  • Instruction ID: 0076a5030c6277de2855114b117637bb3f32bae40830b39ce44216a78de47b7b
                                                                                                  • Opcode Fuzzy Hash: 3141f6051a4a148cf47d8cab3d1104780eb0e21fbc5a5ae47b1daa424b81108d
                                                                                                  • Instruction Fuzzy Hash: A431A172404340AFE721CB51CC44FA6FBBCEB05714F14449AFA499B591D375A909CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0272AB25
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 823142352-0
                                                                                                  • Opcode ID: ec4d531730f7df5c3e1f3627737d4687d15987c2b71f914b917311096e5ab85f
                                                                                                  • Instruction ID: 525f497c52bf83334d44cb76b5653ba9745020a373a5c7ce2c5dc33ee0bc1992
                                                                                                  • Opcode Fuzzy Hash: ec4d531730f7df5c3e1f3627737d4687d15987c2b71f914b917311096e5ab85f
                                                                                                  • Instruction Fuzzy Hash: E6318E71509380AFE722CF65CC85F96FFF8EF05624F08849EE9858B652D365E818CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F23AA Relevance: 1.6, APIs: 1, Instructions: 91windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 059F2462
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FormatMessage
                                                                                                  • String ID:
                                                                                                  • API String ID: 1306739567-0
                                                                                                  • Opcode ID: ba6a2a9af972dc2314c8e05636753fee2f42d42a9b17bbb319d06ae0b37b7df6
                                                                                                  • Instruction ID: 7df41990d9e22182e292db3e6428a44d3c1a54305088f009869ea5ebc575973e
                                                                                                  • Opcode Fuzzy Hash: ba6a2a9af972dc2314c8e05636753fee2f42d42a9b17bbb319d06ae0b37b7df6
                                                                                                  • Instruction Fuzzy Hash: A431917250D3C45FD7038B218C51A56BFB8EF47710F1A84CBD8849F6A3E624691AC7A2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F1E48 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetProcessTimes.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 059F1EE5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProcessTimes
                                                                                                  • String ID:
                                                                                                  • API String ID: 1995159646-0
                                                                                                  • Opcode ID: d511808a3a912b68a5f2af89778cf2d1d8a3adfe8abaccbb8cc838cada0cee97
                                                                                                  • Instruction ID: 21a03b795c73745cb086023a88189c134b406cb0671ffee32251cc09c1476bfc
                                                                                                  • Opcode Fuzzy Hash: d511808a3a912b68a5f2af89778cf2d1d8a3adfe8abaccbb8cc838cada0cee97
                                                                                                  • Instruction Fuzzy Hash: 8B31D771409380AFDB128F61DC45FA6BFB8EF06314F18849AE9858B563D3259909DBA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272AF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 0272B01D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateMutex
                                                                                                  • String ID:
                                                                                                  • API String ID: 1964310414-0
                                                                                                  • Opcode ID: de86f840ba9178eabba29b3dd76f7c326a0aaa0c39901be12505ffcfb7df4d10
                                                                                                  • Instruction ID: 369a2edc56ec4488553c43264014f2ea500192e8389582f7bf7c2a0831d85187
                                                                                                  • Opcode Fuzzy Hash: de86f840ba9178eabba29b3dd76f7c326a0aaa0c39901be12505ffcfb7df4d10
                                                                                                  • Instruction Fuzzy Hash: B23193B15093806FE722CB65DC45F96FFF8EF06214F18849EE944CB292D365E909C762
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B219 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 0272B2D4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3660427363-0
                                                                                                  • Opcode ID: b47caaac5b5af4d3c7a36150d41a55e7c08b50339a869cc034860af38c103555
                                                                                                  • Instruction ID: f6a1bc19ac30646e86ba20a566edea03dac16a4b5ccf68ffa059150fe86fc5a7
                                                                                                  • Opcode Fuzzy Hash: b47caaac5b5af4d3c7a36150d41a55e7c08b50339a869cc034860af38c103555
                                                                                                  • Instruction Fuzzy Hash: 9531AF725093806FE722CB61CC44FA6BFFCEF06624F18849AE9858B653D360E50CCB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F183C Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 059F18D3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DescriptorSecurity$ConvertString
                                                                                                  • String ID:
                                                                                                  • API String ID: 3907675253-0
                                                                                                  • Opcode ID: 9879f46d1b92e5bccd8117e490d11f889ed0b46e89567303f06b9f63573e864c
                                                                                                  • Instruction ID: 931f667aa0e90b37a7765dad4666c9afbc6a397ae1d3d5b9c63d962a37f15f98
                                                                                                  • Opcode Fuzzy Hash: 9879f46d1b92e5bccd8117e490d11f889ed0b46e89567303f06b9f63573e864c
                                                                                                  • Instruction Fuzzy Hash: 2831BF72508380AFE721CB65DC45FA7BFFCEF05210F0884AAE944DB652D364E908CBA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0272A77E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Clipboard
                                                                                                  • String ID:
                                                                                                  • API String ID: 220874293-0
                                                                                                  • Opcode ID: 6c84b2db233e62484b88803fc11a69334145b68087c239b625e6d980a39de631
                                                                                                  • Instruction ID: 0af75a5c17f42056f3ff35c50c86ce2a45e5d7467a896e935c74247714c1e6c9
                                                                                                  • Opcode Fuzzy Hash: 6c84b2db233e62484b88803fc11a69334145b68087c239b625e6d980a39de631
                                                                                                  • Instruction Fuzzy Hash: 66317E7104D3C06FD3138B259C61BA2BFB8EF47614F1A40CBE884CB6A3D2296819D772
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F0544 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetExitCodeProcess.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 059F05D8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CodeExitProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 3861947596-0
                                                                                                  • Opcode ID: 71a8c7435625cb991da181ffb16b05e73c7740995c5a755bee9b80d5c8f8c7f3
                                                                                                  • Instruction ID: 1872866f329ea95f29033c34e989f7affe182f1c60c9995adb4d707450be377b
                                                                                                  • Opcode Fuzzy Hash: 71a8c7435625cb991da181ffb16b05e73c7740995c5a755bee9b80d5c8f8c7f3
                                                                                                  • Instruction Fuzzy Hash: FE2144B15093806FE7128B21DC44FA6BFBCEF46324F0884DBE984CF193C2649909CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F1F72 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • getaddrinfo.WS2_32(?,00000E24), ref: 059F2017
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: getaddrinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 300660673-0
                                                                                                  • Opcode ID: e4da574a1701949246dfbbe5f5a3be295be882ef5bdbceb65b407b6a7bc57a2e
                                                                                                  • Instruction ID: f45d93e4f2dc0d26ba0cdfda48316b5e609b7556560bb3702af36e3053124402
                                                                                                  • Opcode Fuzzy Hash: e4da574a1701949246dfbbe5f5a3be295be882ef5bdbceb65b407b6a7bc57a2e
                                                                                                  • Instruction Fuzzy Hash: AD21E272000300AEEB20DF61CC85FE6FBACEF04714F14485AFA499A691D775A54DCBB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F21DE Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 059F2273
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProcessSizeWorking
                                                                                                  • String ID:
                                                                                                  • API String ID: 3584180929-0
                                                                                                  • Opcode ID: 4c67fe6f1f6bb2b2b5db5b3baf8a262df2efa56c96de63c1c5878328cc4a5867
                                                                                                  • Instruction ID: ba5490a59731636b0169f8627819af32be9470d9864a4b5b0d28699563b76cc3
                                                                                                  • Opcode Fuzzy Hash: 4c67fe6f1f6bb2b2b5db5b3baf8a262df2efa56c96de63c1c5878328cc4a5867
                                                                                                  • Instruction Fuzzy Hash: 0F21D6714093C06FEB12CB61DC55FA6BFB8EF06314F1884DAE9848F563D2249908C761
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B408 Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 0272B4B1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MessageSendTimeout
                                                                                                  • String ID:
                                                                                                  • API String ID: 1599653421-0
                                                                                                  • Opcode ID: 9620ec2ecd797d29f529a0401824ff12247bf9617e062847a97e78eb5a1d6478
                                                                                                  • Instruction ID: 092427a93c59999f023cbbdc6b82bba85c5a1832e05f0e97cd5afa3b0a3a823a
                                                                                                  • Opcode Fuzzy Hash: 9620ec2ecd797d29f529a0401824ff12247bf9617e062847a97e78eb5a1d6478
                                                                                                  • Instruction Fuzzy Hash: B721E471104380AFE7228F61DC44FA2FFB8EF46710F18849EE9844F562D375A419CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272BB88 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0272BC16
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3899507212-0
                                                                                                  • Opcode ID: 5ef81185efaf3ae0079701a42570142f896d5f0aadca36a8f9f253d35f40a233
                                                                                                  • Instruction ID: 6e057c496479c217941008e0e4eafcd1ec724fa58878f9384861dd28c553ab9e
                                                                                                  • Opcode Fuzzy Hash: 5ef81185efaf3ae0079701a42570142f896d5f0aadca36a8f9f253d35f40a233
                                                                                                  • Instruction Fuzzy Hash: 8B218B715093C05FD7128B65CC95B92BFB8EF07224F0D84DBE885CB2A3D624A849CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B92B Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 0272B9C8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: 40ae10259669e590d8942ff7c1bc5a983bb29e2cedf50423f22f788464919482
                                                                                                  • Instruction ID: 42c34c21e694c311eaad8fd47e6e7c6b8621a6d0e6fdc4dbd208743c70bcc06c
                                                                                                  • Opcode Fuzzy Hash: 40ae10259669e590d8942ff7c1bc5a983bb29e2cedf50423f22f788464919482
                                                                                                  • Instruction Fuzzy Hash: C721B576409780AFD7228B51CC44F96FFB8EF06314F18858AE9859B5A2D364E50CCB71
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B32A Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 0272B3C0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: 99ace0c4513a616ab33ca59afad9f3701c3408ec276d1bc1fb8d7bfba8ab3018
                                                                                                  • Instruction ID: 32f1ff2d191e4b41777877674499572862aa5fc43a656b7e92063c5787badb4f
                                                                                                  • Opcode Fuzzy Hash: 99ace0c4513a616ab33ca59afad9f3701c3408ec276d1bc1fb8d7bfba8ab3018
                                                                                                  • Instruction Fuzzy Hash: 9F21A1725097806FD7228F11CC44FA7BFB8EF46614F18849AE9458B652D364E808C771
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F19F2 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileView
                                                                                                  • String ID:
                                                                                                  • API String ID: 3314676101-0
                                                                                                  • Opcode ID: e1cefc8500b2500f756cc6091d85992aeb7400c98921a9bb21839ee91ccc17d5
                                                                                                  • Instruction ID: 30cb66ddd84f57e6d082e1c2633bd8bb1f5d165b7ad0fffb85397cf138828b4b
                                                                                                  • Opcode Fuzzy Hash: e1cefc8500b2500f756cc6091d85992aeb7400c98921a9bb21839ee91ccc17d5
                                                                                                  • Instruction Fuzzy Hash: FE218071409380AFE722CB55DC44F96FFFCEF09224F18849EE9858B652D365E518CBA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F1416 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 059F14A2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Socket
                                                                                                  • String ID:
                                                                                                  • API String ID: 38366605-0
                                                                                                  • Opcode ID: 09f7ad586f41f99a124ec96de0e02c1ce2301126d1e08bfbb7945959e926bac3
                                                                                                  • Instruction ID: 9c0762a95c468badb18aea38b5f0466a8577e993b1fc1fa56093747963187c00
                                                                                                  • Opcode Fuzzy Hash: 09f7ad586f41f99a124ec96de0e02c1ce2301126d1e08bfbb7945959e926bac3
                                                                                                  • Instruction Fuzzy Hash: EF218071409380AFE721CF51DC45FA6FFB8EF05220F18889EE9858B652D375A419CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0272AB25
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 823142352-0
                                                                                                  • Opcode ID: 01226f7685a19c0ea61017495d3db459bb9f02e36e26cbc6758ff5a4eafd522a
                                                                                                  • Instruction ID: de7fdae46d216ba0936b32b97d15489e2c93e6993747320b321e19fd8f5cc839
                                                                                                  • Opcode Fuzzy Hash: 01226f7685a19c0ea61017495d3db459bb9f02e36e26cbc6758ff5a4eafd522a
                                                                                                  • Instruction Fuzzy Hash: 3021BD71504240AFEB20CF65CC85FA6FBE8EF08724F1888AEE9458B651D371E418CB72
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F174A Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 059F17E8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3660427363-0
                                                                                                  • Opcode ID: 58db2407abfbc2bc68bb16b9fdc0ef60539d955a77ef50f78f6213178285d4aa
                                                                                                  • Instruction ID: 54a0a1397983218dc240e85c65e2f8f14bd983126365a08131c7270b86130362
                                                                                                  • Opcode Fuzzy Hash: 58db2407abfbc2bc68bb16b9fdc0ef60539d955a77ef50f78f6213178285d4aa
                                                                                                  • Instruction Fuzzy Hash: 57217C72509380AFE722CB51DC44FA6FFFCAF45610F08859AE9459B692D364E908CBA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F1862 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 059F18D3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DescriptorSecurity$ConvertString
                                                                                                  • String ID:
                                                                                                  • API String ID: 3907675253-0
                                                                                                  • Opcode ID: c66612e5ebaec7d841b8e8ae4f6e4632b6e27b337e8520189841590d63a317a6
                                                                                                  • Instruction ID: c05d10770c818bdbb2e8b6ba94e1344b305fffe40d832b2408d091ee910f5a73
                                                                                                  • Opcode Fuzzy Hash: c66612e5ebaec7d841b8e8ae4f6e4632b6e27b337e8520189841590d63a317a6
                                                                                                  • Instruction Fuzzy Hash: AF21D172500204AFEB20DF65EC85FAAFBECEF04610F14886AEA45DB651D774E509CBB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B152 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0272B1D1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Open
                                                                                                  • String ID:
                                                                                                  • API String ID: 71445658-0
                                                                                                  • Opcode ID: 5ab5d26dc7aaebed434b3c46aeab4d8d2ca2502d0c3088bd11b45f6017c6396a
                                                                                                  • Instruction ID: 5fa543ef8348216ffe4cbf10ab9054b126cc599b2fa2398cc79aad9138aaca30
                                                                                                  • Opcode Fuzzy Hash: 5ab5d26dc7aaebed434b3c46aeab4d8d2ca2502d0c3088bd11b45f6017c6396a
                                                                                                  • Instruction Fuzzy Hash: 35219D72500304AEE7209F51CC85FABFBECEF08628F14855AE9459BA52D764E50D8AB2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272ADCE Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ReadFile.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 0272AE4D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileRead
                                                                                                  • String ID:
                                                                                                  • API String ID: 2738559852-0
                                                                                                  • Opcode ID: cfe8e36120796536b80c935fcbcc8dcf4700b93d2ed54a908ed51b792437353d
                                                                                                  • Instruction ID: 8366ed02cd51af2da26ff13ddc394de4877c6feaff279ae782a8bc4b677094ea
                                                                                                  • Opcode Fuzzy Hash: cfe8e36120796536b80c935fcbcc8dcf4700b93d2ed54a908ed51b792437353d
                                                                                                  • Instruction Fuzzy Hash: 7321CF72405340AFE7228F51DC44FA7BFBCEF45720F14849AE9849B652D264A919CBB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetFileType.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 0272ACBD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileType
                                                                                                  • String ID:
                                                                                                  • API String ID: 3081899298-0
                                                                                                  • Opcode ID: 65509a348246098e98539f8cd09d8bfe4788954bffffda006a399ac4318e50d8
                                                                                                  • Instruction ID: 62c895f839fe4675ec651c4da5869a481563de5a39fabf506e3333d222f57d93
                                                                                                  • Opcode Fuzzy Hash: 65509a348246098e98539f8cd09d8bfe4788954bffffda006a399ac4318e50d8
                                                                                                  • Instruction Fuzzy Hash: FD21A5B54093806FE7128B61DC44BA6BFBCEF46724F1880DBE9848B693D364A90DD771
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F22DB Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 059F2357
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProcessSizeWorking
                                                                                                  • String ID:
                                                                                                  • API String ID: 3584180929-0
                                                                                                  • Opcode ID: 3ac30ebf72e4692c1739da827ffc3a4f4e326dacdb153af2393e9a3bef3d641a
                                                                                                  • Instruction ID: 5bbed06f8263333305daf44ddba05e66f52f2e474a0390533a1541861a8c6291
                                                                                                  • Opcode Fuzzy Hash: 3ac30ebf72e4692c1739da827ffc3a4f4e326dacdb153af2393e9a3bef3d641a
                                                                                                  • Instruction Fuzzy Hash: A521C2B14093806FDB11CB61CC44FA6FFBCEF45620F1884AAE9449B552D364A908CBA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272AFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 0272B01D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateMutex
                                                                                                  • String ID:
                                                                                                  • API String ID: 1964310414-0
                                                                                                  • Opcode ID: 3f57868b47ec8c04aae692786176f81e103c8c5685b556f46741b33fcf9b7c92
                                                                                                  • Instruction ID: 71a18b9690469805a7e03364d4b4b09e35bb4cfe98632ff90fb2158f8cd6dbd4
                                                                                                  • Opcode Fuzzy Hash: 3f57868b47ec8c04aae692786176f81e103c8c5685b556f46741b33fcf9b7c92
                                                                                                  • Instruction Fuzzy Hash: B021BEB1504240AFE721CF65CC85FA6FBE8EF04624F18846AE9488B691E775E409CA72
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272A9BF Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(?), ref: 0272AA44
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2340568224-0
                                                                                                  • Opcode ID: e816aaad01a74bf177a0fae193c8b9f1092911e1c128cbca70f7ac7b3dd72ac2
                                                                                                  • Instruction ID: 2386d99900f9e47d06cd864ae54a2391f26d3b36df3ba373e030ba2a3ad02347
                                                                                                  • Opcode Fuzzy Hash: e816aaad01a74bf177a0fae193c8b9f1092911e1c128cbca70f7ac7b3dd72ac2
                                                                                                  • Instruction Fuzzy Hash: 6C21596540E3C0AFD7138B258C50A51BFB4EF57620F0E81DBD9848F5A3C268980DCB72
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B6F5 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 0272B76A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CopyFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 1304948518-0
                                                                                                  • Opcode ID: 9f2d06a0d283a5970d4585ba74c7f4f803b0f3bc0f7a6496a5b4ee9f74907597
                                                                                                  • Instruction ID: e40d64e3f5f8b6931a6d25fbdc138a382e71262c470e84f34f00d998efa6c81b
                                                                                                  • Opcode Fuzzy Hash: 9f2d06a0d283a5970d4585ba74c7f4f803b0f3bc0f7a6496a5b4ee9f74907597
                                                                                                  • Instruction Fuzzy Hash: 2D2190715093816FEB21CF25CC44B62BFF8EF46624F0884DAED85CB252D265E808CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272AB7C Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0272ABF0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                  • String ID:
                                                                                                  • API String ID: 2591292051-0
                                                                                                  • Opcode ID: e49b8e5db995a895c038bc7b755bf0a8fa74d63c9e69ab935b2a0fd932f78feb
                                                                                                  • Instruction ID: 66de700ca4af74dbe870c443254fb0be5a5169bc1e2a8b0a8feabae072a3ede4
                                                                                                  • Opcode Fuzzy Hash: e49b8e5db995a895c038bc7b755bf0a8fa74d63c9e69ab935b2a0fd932f78feb
                                                                                                  • Instruction Fuzzy Hash: 3B21F3754093C09FDB128B25DC91792BFA8EF06320F0984DAED858B2A3D2649908CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B25A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 0272B2D4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3660427363-0
                                                                                                  • Opcode ID: fcafa39fa525dc55b35fd894c54b9e2ad042c7a94c0ba33ae598d7177c77e1b4
                                                                                                  • Instruction ID: aa96f79eca88d8cce761ea016864a36bce2f7bcabf344b0629d2f4a8b2c87b2d
                                                                                                  • Opcode Fuzzy Hash: fcafa39fa525dc55b35fd894c54b9e2ad042c7a94c0ba33ae598d7177c77e1b4
                                                                                                  • Instruction Fuzzy Hash: 91219D76604700AFE720CF55DC84FABF7ECEF08628F18845AE9458B652D760E90CCAB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B873 Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DeleteFileW.KERNELBASE(?), ref: 0272B8E4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DeleteFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 4033686569-0
                                                                                                  • Opcode ID: 5ccda16e05db7b8f208b31c6c812d8c2cd390734fb74d33e31c882b87cdfa94b
                                                                                                  • Instruction ID: 9d84b8b2222978158d4a9f5ea9a47f43a314e60e84d6bb677385fe5bf8bafcc5
                                                                                                  • Opcode Fuzzy Hash: 5ccda16e05db7b8f208b31c6c812d8c2cd390734fb74d33e31c882b87cdfa94b
                                                                                                  • Instruction Fuzzy Hash: C02193B25093809FD712CB25DC55B52BFB8EF06214F0984DBED85DF2A3D2649908CB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272BE99 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • K32EnumProcesses.KERNEL32(?,?,?,194A495F,00000000,?,?,?,?,?,?,?,?,6CDA3C58), ref: 0272BF0A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnumProcesses
                                                                                                  • String ID:
                                                                                                  • API String ID: 84517404-0
                                                                                                  • Opcode ID: aae6cfb2168c06efb03fbfa81a1a147390c2169e65b1e01ae6d6f4fa52e692fd
                                                                                                  • Instruction ID: 709af22335e833d10d593126353843af1b23bb365332d7085d499f11d9e937cf
                                                                                                  • Opcode Fuzzy Hash: aae6cfb2168c06efb03fbfa81a1a147390c2169e65b1e01ae6d6f4fa52e692fd
                                                                                                  • Instruction Fuzzy Hash: C3215E715093809FD712CB65DC85B96BFF8AF06224F0984EAE985CB163D264A909CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F1A12 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileView
                                                                                                  • String ID:
                                                                                                  • API String ID: 3314676101-0
                                                                                                  • Opcode ID: b6269a1467ad7e9b9d1f13b457cd354b776fe028ad2098c849e4bface40867bb
                                                                                                  • Instruction ID: 4c02971259decf0e91fa7a35df1091c740b0244bf77f47174da63b97202c28a2
                                                                                                  • Opcode Fuzzy Hash: b6269a1467ad7e9b9d1f13b457cd354b776fe028ad2098c849e4bface40867bb
                                                                                                  • Instruction Fuzzy Hash: 0721AE71504200AFE721CF55DC85FAAFBECEF08224F14885EEA458BA51D375E419CBB2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F1436 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 059F14A2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Socket
                                                                                                  • String ID:
                                                                                                  • API String ID: 38366605-0
                                                                                                  • Opcode ID: 8dbcabdc229b764a2d464ae1dcc01441bfd4126452b96f6187c5287917f635f3
                                                                                                  • Instruction ID: 24f148c436215b989567a5f0acbc339ec09896422978a77e23075f1c3b630de0
                                                                                                  • Opcode Fuzzy Hash: 8dbcabdc229b764a2d464ae1dcc01441bfd4126452b96f6187c5287917f635f3
                                                                                                  • Instruction Fuzzy Hash: D321CF71504240AFEB21CF51DC85FA6FBF8EF08320F14885EEA458BA51D375A419CBB2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F2122 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 059F219E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Connect
                                                                                                  • String ID:
                                                                                                  • API String ID: 3144859779-0
                                                                                                  • Opcode ID: 1db24b562e89152bdde194b38b900cad0a6fffad3d35a9b2da012d2118fd7656
                                                                                                  • Instruction ID: 7978170d45192437b29ab66964f9b303699ca37012ba8502aa66bd2142aee75e
                                                                                                  • Opcode Fuzzy Hash: 1db24b562e89152bdde194b38b900cad0a6fffad3d35a9b2da012d2118fd7656
                                                                                                  • Instruction Fuzzy Hash: 5B219F75508380AFDB228F51DC44B62BFF8EF06310F0885DAEE858B163D375A819DB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B436 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 0272B4B1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MessageSendTimeout
                                                                                                  • String ID:
                                                                                                  • API String ID: 1599653421-0
                                                                                                  • Opcode ID: c270cbfbf663c21b43d292fc3d57f00fa3a8be755c66d9b9172d252ff7f7c6b7
                                                                                                  • Instruction ID: ed2e44ff39d8a8048fcf6f29f2072e945c3eaf8d13c03e5b54c622911d0dd877
                                                                                                  • Opcode Fuzzy Hash: c270cbfbf663c21b43d292fc3d57f00fa3a8be755c66d9b9172d252ff7f7c6b7
                                                                                                  • Instruction Fuzzy Hash: 3121B471400200AFEB318F51DC81FA6FBB8EF04714F14855AEE455A651D775A51DCBB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B34E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 0272B3C0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: 7914663e5f901c0e56d30df76fde6d236a0de3ffb5f61f5ac5cddd723c29c05c
                                                                                                  • Instruction ID: 9c8d042b220e243a7c2841ce1cf982455139c0ecc37c3dfe80f6d3626ae5e852
                                                                                                  • Opcode Fuzzy Hash: 7914663e5f901c0e56d30df76fde6d236a0de3ffb5f61f5ac5cddd723c29c05c
                                                                                                  • Instruction Fuzzy Hash: 07119076500600AFEB218F52DD81FA7FBECEF04628F18845AED459B652D770E41DCAB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272A61E Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0272A690
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                  • String ID:
                                                                                                  • API String ID: 2591292051-0
                                                                                                  • Opcode ID: 35591d3c8b3152dcc0dff70296935f10333b5f6cbccb9ed65e75100dc3c70aaf
                                                                                                  • Instruction ID: c489e600fa887516a1e6e54f8416b12026fa8ee8ce213235a640fd48688b1597
                                                                                                  • Opcode Fuzzy Hash: 35591d3c8b3152dcc0dff70296935f10333b5f6cbccb9ed65e75100dc3c70aaf
                                                                                                  • Instruction Fuzzy Hash: 1B213B7140D3C05FDB128B25DC95752BFB4DF07620F0984DBD9859F2A3D2659908C772
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F1776 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 059F17E8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3660427363-0
                                                                                                  • Opcode ID: 3cc877e7f165356042ce3e819bafb439ee5df1874854d31ff107d7971146d00b
                                                                                                  • Instruction ID: 98f359ca3fc4b05874d30f780b73b0c887b3287a47fda846922643e2e0a239d7
                                                                                                  • Opcode Fuzzy Hash: 3cc877e7f165356042ce3e819bafb439ee5df1874854d31ff107d7971146d00b
                                                                                                  • Instruction Fuzzy Hash: 2011BE72500200EFE721CF51DC80FA6FBECEF04620F18845AEA458BA52D764E408DBB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F1E86 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetProcessTimes.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 059F1EE5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProcessTimes
                                                                                                  • String ID:
                                                                                                  • API String ID: 1995159646-0
                                                                                                  • Opcode ID: ba5a97c3e45f4e53f7fd084eb752adaf5b93a1c455f692a3046971883d610e6f
                                                                                                  • Instruction ID: cfefc7d0cf4575bff014aaf45674d78acd380f69cd0fe1a231010ced81e245bf
                                                                                                  • Opcode Fuzzy Hash: ba5a97c3e45f4e53f7fd084eb752adaf5b93a1c455f692a3046971883d610e6f
                                                                                                  • Instruction Fuzzy Hash: 3E11D072504200AFEB21CF51DC84FAAFBA8EF04720F14886AEA458BA51D770A419DBB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F22FE Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 059F2357
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProcessSizeWorking
                                                                                                  • String ID:
                                                                                                  • API String ID: 3584180929-0
                                                                                                  • Opcode ID: 0f86d7a75e962e95b756a10cca0a4ce26cc4e29261f6879bcf3a5d9475ae6705
                                                                                                  • Instruction ID: 6478b69626184be731dcc38e54e928eceacbbbdd1ffc3aa0d7e5940b13d1c762
                                                                                                  • Opcode Fuzzy Hash: 0f86d7a75e962e95b756a10cca0a4ce26cc4e29261f6879bcf3a5d9475ae6705
                                                                                                  • Instruction Fuzzy Hash: DB1104B5504200AFEB10CF51CC85FAAF7ACEF04720F18886AEE458B651D774A4098BB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F221A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 059F2273
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProcessSizeWorking
                                                                                                  • String ID:
                                                                                                  • API String ID: 3584180929-0
                                                                                                  • Opcode ID: 0f86d7a75e962e95b756a10cca0a4ce26cc4e29261f6879bcf3a5d9475ae6705
                                                                                                  • Instruction ID: b8b392360d98cb7d9ccb061a5cdf91117c35757c7fbaf872f0df3d2a006a9680
                                                                                                  • Opcode Fuzzy Hash: 0f86d7a75e962e95b756a10cca0a4ce26cc4e29261f6879bcf3a5d9475ae6705
                                                                                                  • Instruction Fuzzy Hash: B6110176500200AFEB21CF51CC84FAAFBACEF04324F18846AEE058B651D770A5188BB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0272A5DE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DuplicateHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3793708945-0
                                                                                                  • Opcode ID: 7e96c6b92e415e34154fcc9d94a8897a873c6f9969ea503ea22ae8ed8318d31d
                                                                                                  • Instruction ID: c95b40eae965ac384a5bd5c46e7d99265d44bad60259d2325fcd505423f8502b
                                                                                                  • Opcode Fuzzy Hash: 7e96c6b92e415e34154fcc9d94a8897a873c6f9969ea503ea22ae8ed8318d31d
                                                                                                  • Instruction Fuzzy Hash: 39118471409380AFDB228F51DC44B62FFF8EF4A710F0888DAED858B662D375A519DB61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B95E Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 0272B9C8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: d1e5fef8e1b5178610a8d8bb1cab7f5eebf619595d1c294f6d1a5da36a4ea44b
                                                                                                  • Instruction ID: 8ad68af20f89f10d448cf270eeba8f7b5aa6a48793673955d7ba6fc9b7d21612
                                                                                                  • Opcode Fuzzy Hash: d1e5fef8e1b5178610a8d8bb1cab7f5eebf619595d1c294f6d1a5da36a4ea44b
                                                                                                  • Instruction Fuzzy Hash: 5C11B272500600EFEB218F51CC84FA6FBECEF04724F14855AEA859AA51D775E41DCAB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F0582 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetExitCodeProcess.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 059F05D8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CodeExitProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 3861947596-0
                                                                                                  • Opcode ID: 5685fd6ac060911e620bf2a74cb8ed393a13adb0c57dfc8d63349e06b9add47b
                                                                                                  • Instruction ID: e4b184a770391ed6e33af991a3bad14ae0f7c0dadbaae9d414fcbd086bc955eb
                                                                                                  • Opcode Fuzzy Hash: 5685fd6ac060911e620bf2a74cb8ed393a13adb0c57dfc8d63349e06b9add47b
                                                                                                  • Instruction Fuzzy Hash: FF110671504200AFEB10CF56DC85FAAF7ECEF44724F14846AEE06DB652D774A4098BB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ReadFile.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 0272AE4D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileRead
                                                                                                  • String ID:
                                                                                                  • API String ID: 2738559852-0
                                                                                                  • Opcode ID: b5d3a122cae6a25373203919a7fb774b04204eeb9ebc3a473f9d58629aab00d2
                                                                                                  • Instruction ID: ed676e42123d956db4e0df44c3d86531b058185e7c0212d3ebcde561f95f8b1c
                                                                                                  • Opcode Fuzzy Hash: b5d3a122cae6a25373203919a7fb774b04204eeb9ebc3a473f9d58629aab00d2
                                                                                                  • Instruction Fuzzy Hash: A511C172800200AFEB21CF91DC85FA6FBF8EF04724F14885AE9459B651D374A519CBB1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272BBCE Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0272BC16
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3899507212-0
                                                                                                  • Opcode ID: 0e749afeb0d83e11d196a62adb3b6ffa9b9d53fe9096eb0a9b1a312720fc17a6
                                                                                                  • Instruction ID: 4e3251335da43cbacb81606e48883774e466eb8a196d93f0dabac7e6aeeac7d9
                                                                                                  • Opcode Fuzzy Hash: 0e749afeb0d83e11d196a62adb3b6ffa9b9d53fe9096eb0a9b1a312720fc17a6
                                                                                                  • Instruction Fuzzy Hash: C411CE716002408FDB10CF26C884B66FBE8EF04224F0894AAEC49DB352D730E449CA61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B722 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 0272B76A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CopyFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 1304948518-0
                                                                                                  • Opcode ID: 0e749afeb0d83e11d196a62adb3b6ffa9b9d53fe9096eb0a9b1a312720fc17a6
                                                                                                  • Instruction ID: 5c860e58ef8c0d0ed328448d051d21f3e7993e615cc1e081990c861a4bfd7811
                                                                                                  • Opcode Fuzzy Hash: 0e749afeb0d83e11d196a62adb3b6ffa9b9d53fe9096eb0a9b1a312720fc17a6
                                                                                                  • Instruction Fuzzy Hash: DF116171A002419FDB60CF65DC85B56FBE8EF04624F0884AADD49DB756D774E408CB71
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetFileType.KERNELBASE(?,00000E24,194A495F,00000000,00000000,00000000,00000000), ref: 0272ACBD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileType
                                                                                                  • String ID:
                                                                                                  • API String ID: 3081899298-0
                                                                                                  • Opcode ID: 1c7dd2a37000159a5f5fa2126b4b6baa14d79a8f73b623624e2b3cc331cdb742
                                                                                                  • Instruction ID: b5a8b35b016a9a7fa9ae66700d3ea8d7a9c10a09a292a53effb978aa5877a3b1
                                                                                                  • Opcode Fuzzy Hash: 1c7dd2a37000159a5f5fa2126b4b6baa14d79a8f73b623624e2b3cc331cdb742
                                                                                                  • Instruction Fuzzy Hash: 2001D271505200AFE720CB11DC84BA6FBACDF44724F18C09AEE059B751D774E44DCAB2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B658 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForInputIdle.USER32(?,?), ref: 0272B6AF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: IdleInputWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 2200289081-0
                                                                                                  • Opcode ID: 3e1efb3cc886af2708b19d92cd3dce8c1ea32ccb998bf1164de0b755912a9dcf
                                                                                                  • Instruction ID: f93577e4656d9d4b2fa878fac6237189018299c71e6135d54fb6df8a0ecf23f6
                                                                                                  • Opcode Fuzzy Hash: 3e1efb3cc886af2708b19d92cd3dce8c1ea32ccb998bf1164de0b755912a9dcf
                                                                                                  • Instruction Fuzzy Hash: E8117071408384AFDB11CF55DC85B56FFE8EF46320F0984DAED458F262D275A918CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272BECA Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • K32EnumProcesses.KERNEL32(?,?,?,194A495F,00000000,?,?,?,?,?,?,?,?,6CDA3C58), ref: 0272BF0A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnumProcesses
                                                                                                  • String ID:
                                                                                                  • API String ID: 84517404-0
                                                                                                  • Opcode ID: fd8bfecceb32ba12efabdc0971809d1905668875aba9fba6365a09c495475905
                                                                                                  • Instruction ID: ef5f4cd004c5eb000b813add27d1e1539a0e906ea9178d0893f17847b8da1a2a
                                                                                                  • Opcode Fuzzy Hash: fd8bfecceb32ba12efabdc0971809d1905668875aba9fba6365a09c495475905
                                                                                                  • Instruction Fuzzy Hash: 5511A1715002409FDB10CF65D884B66FBE8EF05224F0884AADE498B662D770E408CF61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F2152 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 059F219E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Connect
                                                                                                  • String ID:
                                                                                                  • API String ID: 3144859779-0
                                                                                                  • Opcode ID: 1683e90b5ab73a7bacb6760aa97b44779f664b6d2947cc7d337b5fbbafb1012f
                                                                                                  • Instruction ID: 3637aab0162997b67b198665bf83f1069a2a607b676210d508b7bbfd7bdeada3
                                                                                                  • Opcode Fuzzy Hash: 1683e90b5ab73a7bacb6760aa97b44779f664b6d2947cc7d337b5fbbafb1012f
                                                                                                  • Instruction Fuzzy Hash: 02115A35500204DFDB20CF55DD84B66FBE9FF08720F0889AADE468B622D371E459DB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B8AA Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DeleteFileW.KERNELBASE(?), ref: 0272B8E4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DeleteFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 4033686569-0
                                                                                                  • Opcode ID: e470b1b8544e0427c5e1643fd5136149c8faeced4953e62628a03a94dc680bbc
                                                                                                  • Instruction ID: 2f2ab5c06611ded90791c3654bb47d2f8d854407372706af2040e79f188a73fb
                                                                                                  • Opcode Fuzzy Hash: e470b1b8544e0427c5e1643fd5136149c8faeced4953e62628a03a94dc680bbc
                                                                                                  • Instruction Fuzzy Hash: BF019E729002449FDB10CF6AD885766BBE8EF04624F08C4AADD49DB752D774E408CBA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F2412 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 059F2462
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FormatMessage
                                                                                                  • String ID:
                                                                                                  • API String ID: 1306739567-0
                                                                                                  • Opcode ID: 729e21f1449fc5495b5b33d7bc57396a3ca64ca3da1c9907c3bd25ede9e5b4e0
                                                                                                  • Instruction ID: a20338d23d137dce9a5144475eae374fd149cea5c93861da74906c8f736742ba
                                                                                                  • Opcode Fuzzy Hash: 729e21f1449fc5495b5b33d7bc57396a3ca64ca3da1c9907c3bd25ede9e5b4e0
                                                                                                  • Instruction Fuzzy Hash: 93017171500200AFD350DF16DC46B66FBF8EB88B20F24855AED499BB41D731B925CBE5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0272A5DE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DuplicateHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3793708945-0
                                                                                                  • Opcode ID: 85d0012601f45ecc80ef75aa6a5e4091d6c5389023acefb1b7e6439063b44305
                                                                                                  • Instruction ID: 8018a40abba3cead938114561281d4e1b147f258adf2979ba3154c61e0749418
                                                                                                  • Opcode Fuzzy Hash: 85d0012601f45ecc80ef75aa6a5e4091d6c5389023acefb1b7e6439063b44305
                                                                                                  • Instruction Fuzzy Hash: 0A016D72400640DFDB218F95D884B56FFE4EF08720F08899AEE495B662D376E419DF62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272ABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0272ABF0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                  • String ID:
                                                                                                  • API String ID: 2591292051-0
                                                                                                  • Opcode ID: 5a9239ef5e55c0e2e56ed216f2c7d7c5a2d289dd02c853b2e3bc3c90203896dc
                                                                                                  • Instruction ID: f273950ddebccceb3080878dd037fbd2eeb833b8936f59cdd492b5f7ffcc36a9
                                                                                                  • Opcode Fuzzy Hash: 5a9239ef5e55c0e2e56ed216f2c7d7c5a2d289dd02c853b2e3bc3c90203896dc
                                                                                                  • Instruction Fuzzy Hash: 5D01DB719042409FDB10CF66E8857A6FBE8EF04220F08C4AADD098F662D375E448CAA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0272A77E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Clipboard
                                                                                                  • String ID:
                                                                                                  • API String ID: 220874293-0
                                                                                                  • Opcode ID: dc29f418b8f6e6b6ec5977a893ed7c1e98e0569d75fa8aa0c45c528193d23e77
                                                                                                  • Instruction ID: a9766009f439561ae6e945a9a6ca4bc165535075979242ef0290098536324823
                                                                                                  • Opcode Fuzzy Hash: dc29f418b8f6e6b6ec5977a893ed7c1e98e0569d75fa8aa0c45c528193d23e77
                                                                                                  • Instruction Fuzzy Hash: 6F016271600600ABD210DF16DC46B66FBF8FB88A20F248159ED089BB41D775F925CBE6
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 059F139A Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 059F13EA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4571109438.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_59f0000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3660427363-0
                                                                                                  • Opcode ID: d49663126a62b62154e29871e786057f20d60030608f47d429a978e53aa70f39
                                                                                                  • Instruction ID: 06e2a0af118b27556d76ea4ddceb1c7a0ca19777a90c65b5a27117bfc7662b2f
                                                                                                  • Opcode Fuzzy Hash: d49663126a62b62154e29871e786057f20d60030608f47d429a978e53aa70f39
                                                                                                  • Instruction Fuzzy Hash: 7F016271600600ABD210DF16DC46B66FBF8FB88B20F24815AED499BB41D771F925CBE6
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272B67A Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForInputIdle.USER32(?,?), ref: 0272B6AF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: IdleInputWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 2200289081-0
                                                                                                  • Opcode ID: dd12e86a572a61e89c369455d2cbd199bb4d4b8a957c7dca53bc310272d76aa8
                                                                                                  • Instruction ID: 4bf97c601c98adfac4a7e8e1a6086fc06fe6c715d3fe827634fd2eec4f165067
                                                                                                  • Opcode Fuzzy Hash: dd12e86a572a61e89c369455d2cbd199bb4d4b8a957c7dca53bc310272d76aa8
                                                                                                  • Instruction Fuzzy Hash: DE018B718042449FDB10CF55D884B66FBE4EF04624F18C8AADD499F266D375E419CBA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272A65E Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0272A690
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                  • String ID:
                                                                                                  • API String ID: 2591292051-0
                                                                                                  • Opcode ID: ad557555b93f204c39aa668f0e6cf342186b497b460df6754dcd6a504525d1e7
                                                                                                  • Instruction ID: b7eda5cad1f3b7a59054f6e14a19a73ab6bc913123d0a57b1a5306103434e302
                                                                                                  • Opcode Fuzzy Hash: ad557555b93f204c39aa668f0e6cf342186b497b460df6754dcd6a504525d1e7
                                                                                                  • Instruction Fuzzy Hash: C8016D71804240DFDB10CF56D889766FBE4EF04620F08C4AADD499F766D375A409CEA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050376F0 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl
                                                                                                  • API String ID: 0-4153197625
                                                                                                  • Opcode ID: cbc91b7bb3fa21d61c7b0402dc5db4bf42e31a8bb3714a9cd2baadeda6de8540
                                                                                                  • Instruction ID: bfa45b8dcf1024fb844d503f088aeb72c073e0b7173170652d5a431d20bda0da
                                                                                                  • Opcode Fuzzy Hash: cbc91b7bb3fa21d61c7b0402dc5db4bf42e31a8bb3714a9cd2baadeda6de8540
                                                                                                  • Instruction Fuzzy Hash: BFA10274A043108BDB14EB36E8467AC37E6FF88314F144668D412AB3E5EB35EE46CB50
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0272AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(?), ref: 0272AA44
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567036869.000000000272A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0272A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_272a000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2340568224-0
                                                                                                  • Opcode ID: 2e3d860686334c56610033bd74ba62d74bf994a9e43c0e9eb6f1348208af6e47
                                                                                                  • Instruction ID: f4182bc97907565f97f2fbae63d495164dd43e580d3df4b60cd3b76ed670f602
                                                                                                  • Opcode Fuzzy Hash: 2e3d860686334c56610033bd74ba62d74bf994a9e43c0e9eb6f1348208af6e47
                                                                                                  • Instruction Fuzzy Hash: ADF08735800240DFDB208F16D984BA5FBE4EF04A24F08C09ADD494B766D3B9A508CEA6
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05036B55 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l
                                                                                                  • API String ID: 0-533218248
                                                                                                  • Opcode ID: 948053f39c1544eb65d411e688011eb02450b8071d22e10a5a5a6b8aeac2b0f1
                                                                                                  • Instruction ID: c5002b1f74008cbcc6d62b36e9dcbb0bb5fc1a82726244029e27e2aec9f309f4
                                                                                                  • Opcode Fuzzy Hash: 948053f39c1544eb65d411e688011eb02450b8071d22e10a5a5a6b8aeac2b0f1
                                                                                                  • Instruction Fuzzy Hash: 5B916E78A002288FDB64EF35D8517AD73B6AF89308F5042E9D5096B3D4DB359E86CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050339BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl
                                                                                                  • API String ID: 0-4153197625
                                                                                                  • Opcode ID: b440d54efb938f9678579f0108dc26fe60e215e05a00233ad7f1897c8b0a8607
                                                                                                  • Instruction ID: b0503ff509bd5baa74a5c4a0fb51db8595600eecece08b1c4704d7e46a810971
                                                                                                  • Opcode Fuzzy Hash: b440d54efb938f9678579f0108dc26fe60e215e05a00233ad7f1897c8b0a8607
                                                                                                  • Instruction Fuzzy Hash: 41816934E002288FDB14EFB5D855BECB7B2AF49308F0085A9D10AAB794DB758D86CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05036C46 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l
                                                                                                  • API String ID: 0-533218248
                                                                                                  • Opcode ID: 1f03340ae1c7dc75de53ddc23bb891e0eec88c1443ff6770ff10fa0bd319ff53
                                                                                                  • Instruction ID: 3b0294705fcd6e104ceec29418c8ad2bcd5c00d6d76ae223cd27119f3c03fbc2
                                                                                                  • Opcode Fuzzy Hash: 1f03340ae1c7dc75de53ddc23bb891e0eec88c1443ff6770ff10fa0bd319ff53
                                                                                                  • Instruction Fuzzy Hash: 58616E78A002288FDB24EF75D891BED77B6AF49308F1046E9D5096B790DB359E86CF00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05033B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl
                                                                                                  • API String ID: 0-4153197625
                                                                                                  • Opcode ID: 8e71a0c5652011cb8d5b7a95360a3a648e895f241af1af8ea92c2935e574b223
                                                                                                  • Instruction ID: 91d8e2e68f1b7a32c5e6f7aefcbafcdb0d070157467e6c5b14e84fe6c7ac220d
                                                                                                  • Opcode Fuzzy Hash: 8e71a0c5652011cb8d5b7a95360a3a648e895f241af1af8ea92c2935e574b223
                                                                                                  • Instruction Fuzzy Hash: D7417A34E002288FDB14DBB5D845BECB7B2BF49309F4045AAD00AAB694DB754E89CF61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05030958 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l
                                                                                                  • API String ID: 0-533218248
                                                                                                  • Opcode ID: 3d206fbc62483cf8f5155d156ef76d4d56643706050e7c895dd7d952873e0982
                                                                                                  • Instruction ID: b1e8d68f606cbf09b281cc9d95a3e4b5366344b705f19825154d8c06537ea9bc
                                                                                                  • Opcode Fuzzy Hash: 3d206fbc62483cf8f5155d156ef76d4d56643706050e7c895dd7d952873e0982
                                                                                                  • Instruction Fuzzy Hash: 5231B334B012119FDB04BBBAD8157BE32ABAF88208F544429D505D7BA4EF398D0BC7A1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05033DCC Relevance: .2, Instructions: 193COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 115c68fded1640ad9d3cefdfdadf6754cacc2ca7604ab2d589844f277ae31b76
                                                                                                  • Instruction ID: e0d46697b2e36ca1b980b81e002f97d6864b8dba8f10bc32f5c1d431874329b1
                                                                                                  • Opcode Fuzzy Hash: 115c68fded1640ad9d3cefdfdadf6754cacc2ca7604ab2d589844f277ae31b76
                                                                                                  • Instruction Fuzzy Hash: 77A11938A01228CFCB25EF65D8557ECB7B2BF48308F1046A9D809AB754DB359E86CF40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050376E0 Relevance: .1, Instructions: 145COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: de4bfe3a46641fa35ad2c0f126a7a33405357cb5d8eeaf9d48cab07e00501654
                                                                                                  • Instruction ID: be27d0d8108dadaa55e485cfd8f819b54b821b3ac54b41737895bec1666fb1eb
                                                                                                  • Opcode Fuzzy Hash: de4bfe3a46641fa35ad2c0f126a7a33405357cb5d8eeaf9d48cab07e00501654
                                                                                                  • Instruction Fuzzy Hash: 5D51F074A04211DBDB14DB36E8067AD3BEAFF48315F188665D401EB2D1EB38EA47CB20
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05037ACE Relevance: .1, Instructions: 137COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 72abb5217b339436db7352bec40daa9f2fb872130dcd0a2bea9153ce8e329e33
                                                                                                  • Instruction ID: 7ba4f0a5a3a3a2507825a47be89923a6508e120b2c1fcad5b93e3e082e933e64
                                                                                                  • Opcode Fuzzy Hash: 72abb5217b339436db7352bec40daa9f2fb872130dcd0a2bea9153ce8e329e33
                                                                                                  • Instruction Fuzzy Hash: E041C178A04211DADB14DB36E9067BC36E6FF44315F188665D411EB2E1EB38DB47CB60
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05036DA0 Relevance: .1, Instructions: 104COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 09566369806bb3db5878e71508d317e6f42c0450a6bfef271c628a557e1b2d46
                                                                                                  • Instruction ID: c3829eca94bc10a5170e33ff5e6e06f3adf4c200b594ad0fd637037c39e56da2
                                                                                                  • Opcode Fuzzy Hash: 09566369806bb3db5878e71508d317e6f42c0450a6bfef271c628a557e1b2d46
                                                                                                  • Instruction Fuzzy Hash: 6541AE74A01228CFDF64EB78D8557ED72B5AF95308F5005E9C049AB380EB359E86CF41
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0280136C Relevance: .1, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4568193916.0000000002801000.00000040.00000020.00020000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_2801000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cdc9804a71566b8e8536063399f1b787fc36e83cde5ec08c36ac7f3b06df7a4b
                                                                                                  • Instruction ID: bfad70ace23b452dc31cabec3e02b5fbc98293dded653b911538183f119a18a9
                                                                                                  • Opcode Fuzzy Hash: cdc9804a71566b8e8536063399f1b787fc36e83cde5ec08c36ac7f3b06df7a4b
                                                                                                  • Instruction Fuzzy Hash: F41193382042849FD7558B50D984B26B7A5EB8971CF28C99CE54D4BA92C77BD803CA51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05030006 Relevance: .1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 96a91803096a6faf07e4e759bc235063ab506fc5af923513332563f4a5b116bc
                                                                                                  • Instruction ID: cc4e411a837cf1d374dbb489dd3c6f7c600c83762c9786f7ad36b5aebd7f3f62
                                                                                                  • Opcode Fuzzy Hash: 96a91803096a6faf07e4e759bc235063ab506fc5af923513332563f4a5b116bc
                                                                                                  • Instruction Fuzzy Hash: 8E11E52104E3C14FC7038B65EC65B943FB4AF1B219F4E4AC7D080CB5A7D26C681AD762
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05033C66 Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9ec84064c68e8d40e024f7a2b8caddb5a39d548b1f05ff6cc540247643df4a89
                                                                                                  • Instruction ID: 96d3d3df90e360b5994b53b473f9179363f45e9bcf840b5523f695ccf320ff46
                                                                                                  • Opcode Fuzzy Hash: 9ec84064c68e8d40e024f7a2b8caddb5a39d548b1f05ff6cc540247643df4a89
                                                                                                  • Instruction Fuzzy Hash: 25112E74D01118CFEB24DBB9D855BECF7B2BF48309F5085AAD41AAB241DB744A44CF61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02801047 Relevance: .0, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4568193916.0000000002801000.00000040.00000020.00020000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_2801000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a175139dd5942d15cd6d793900f63162c7d463333e5f433df7883a05d4ed5628
                                                                                                  • Instruction ID: de86b7cd3a9daf917fedd4206aed88eaf12aafca0bb800a2e57d52a51e81d33f
                                                                                                  • Opcode Fuzzy Hash: a175139dd5942d15cd6d793900f63162c7d463333e5f433df7883a05d4ed5628
                                                                                                  • Instruction Fuzzy Hash: CC018BB55093C06FD7128F16DC50862FFB8DF86620708C49FED498B662D125A809C776
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02801357 Relevance: .0, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4568193916.0000000002801000.00000040.00000020.00020000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_2801000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bb18eaa3e89a4dd039b53ea1224e942195e89de4e65ee19a3d6c8b62d69e97be
                                                                                                  • Instruction ID: 177fb87c6c786084d63cd4e9ff827fa910d7a930b1e4019b906e403c4531812c
                                                                                                  • Opcode Fuzzy Hash: bb18eaa3e89a4dd039b53ea1224e942195e89de4e65ee19a3d6c8b62d69e97be
                                                                                                  • Instruction Fuzzy Hash: 2B112E381093859FCB16CB10C994B55BBB1EB46718F28C6EED4499B6A3C77B9807CB42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050301E1 Relevance: .0, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4613805d682ee466a4678edf9d17450e2685dd9aaf8496c954d11828d4e769f9
                                                                                                  • Instruction ID: 9f0b3da6bd897aa782afa75e82b8f52fd2638b6e2e38f6db5aa570121bbd1000
                                                                                                  • Opcode Fuzzy Hash: 4613805d682ee466a4678edf9d17450e2685dd9aaf8496c954d11828d4e769f9
                                                                                                  • Instruction Fuzzy Hash: B1018C34A052529FCB05FB76D05851E7BE2EF88209B488C2CE449C771AEB30D8099B42
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050300A8 Relevance: .0, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 486fb4f2cb5b049ec13a3e4aa7d6a9ca0a74b555a89d13388708e01cf83ba9f6
                                                                                                  • Instruction ID: bdbac39cf61292603c99d5dec336eed8641d99044d2676cd4b32a85e01000ece
                                                                                                  • Opcode Fuzzy Hash: 486fb4f2cb5b049ec13a3e4aa7d6a9ca0a74b555a89d13388708e01cf83ba9f6
                                                                                                  • Instruction Fuzzy Hash: 85F02B32A053446BDB05DB70DC12BAE7F77DF81718F0485AFD5409B2C2DA359841C780
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 02801428 Relevance: .0, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4568193916.0000000002801000.00000040.00000020.00020000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_2801000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 821cfc4d7bab16518c7686fb274296930e20d42c830613f721a879148970ef6e
                                                                                                  • Instruction ID: 0489addc16760fa642806da55d1f51124fbc01151bae410238214b04bfaf4ada
                                                                                                  • Opcode Fuzzy Hash: 821cfc4d7bab16518c7686fb274296930e20d42c830613f721a879148970ef6e
                                                                                                  • Instruction Fuzzy Hash: 13F06D39104644DFC701CB00D984B15FBA2FB89718F24CAADE84807B62C337E813DB81
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0280106E Relevance: .0, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4568193916.0000000002801000.00000040.00000020.00020000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_2801000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 794c1ec9d0d38edf1fbf8a8f3c46eea5f895a178665fd10ae45d19183659059f
                                                                                                  • Instruction ID: f43ad72afa1cd53660c29c8cc252eb2753d7e106a648bb4c2a25bb4a510f0ef0
                                                                                                  • Opcode Fuzzy Hash: 794c1ec9d0d38edf1fbf8a8f3c46eea5f895a178665fd10ae45d19183659059f
                                                                                                  • Instruction Fuzzy Hash: D7E092B66006004B9650CF0BEC81456F7D8EB88A30718C47FDC0E8B711E235B508CAA6
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05037688 Relevance: .0, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 51c2166c5746eec7aa8a1cbe9155d5370025f28c46e50fd98b93c7f165d9f51a
                                                                                                  • Instruction ID: 1c88cdc70bc0fffbe4ab9d530a8cb067d113276f57bba7e8d7c83d76a2d4ca04
                                                                                                  • Opcode Fuzzy Hash: 51c2166c5746eec7aa8a1cbe9155d5370025f28c46e50fd98b93c7f165d9f51a
                                                                                                  • Instruction Fuzzy Hash: 8DE04FB1E002199F8F50EFB999065DFBFF9EA48224B10043AC208E3201E33952418BE1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05034200 Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: aad8269267e7b4e4232eadfdebbc844aa65d29ab6cf1f91b8d3fcdfe7565c998
                                                                                                  • Instruction ID: 3c546bab14d5cba039406c766646c6724aba77d17e6743315809d1d6929ea160
                                                                                                  • Opcode Fuzzy Hash: aad8269267e7b4e4232eadfdebbc844aa65d29ab6cf1f91b8d3fcdfe7565c998
                                                                                                  • Instruction Fuzzy Hash: A2E0C230A09108DFCB44CF68AD11ABC77A8E700304F0085EAE409D7251EB312E019796
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050336A8 Relevance: .0, Instructions: 17COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7fded589fdada03ab97785ad15acc19d2af17154caca69db8ea338ebd016471a
                                                                                                  • Instruction ID: 6b85e6cae700df58aa5fe5adf99cd03c8771a038a58bd4fc5f91da83ef71d850
                                                                                                  • Opcode Fuzzy Hash: 7fded589fdada03ab97785ad15acc19d2af17154caca69db8ea338ebd016471a
                                                                                                  • Instruction Fuzzy Hash: 88D02B30147340CFC70927B460141183734A74620DB4448FEC44107382EB36D482C740
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 050391A7 Relevance: .0, Instructions: 16COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 040057a7cce781fd476e04a8b7b025659b23ac6f5e4e3c2752f6f54a37df2c5a
                                                                                                  • Instruction ID: 7b23e8014baf20d977b2e2584902bd39b7ef3a1aecacb35f71fd678582a86166
                                                                                                  • Opcode Fuzzy Hash: 040057a7cce781fd476e04a8b7b025659b23ac6f5e4e3c2752f6f54a37df2c5a
                                                                                                  • Instruction Fuzzy Hash: EBD05E71D8A2489BCB0ADBE1A9383AC7B68AB41102F00859ADC0543241EF350A289761
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 027223F4 Relevance: .0, Instructions: 15COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567015636.0000000002722000.00000040.00000800.00020000.00000000.sdmp, Offset: 02722000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_2722000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a7d1952060335b8dbc7f575522b995891f62265b7f70858b30827e9595464dd3
                                                                                                  • Instruction ID: 414b297a6fa1f00d03b6ab8bc107b3763f2d135b9655dfa4d881354422b215c2
                                                                                                  • Opcode Fuzzy Hash: a7d1952060335b8dbc7f575522b995891f62265b7f70858b30827e9595464dd3
                                                                                                  • Instruction Fuzzy Hash: 10D02E393006D04FD3129B0CC1A4B8537D4AB80708F0A00FAEC008B773C768E8C4C610
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 05034210 Relevance: .0, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4570585280.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_5030000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3ea4ae6532bd076bdf731e5837ff91e02d8a86403d4981ffdd6702dc93cfa768
                                                                                                  • Instruction ID: 9009440e1079e54e599ef2f0741fb1a8bb7fa480dd7abf5246199c3095dfc49c
                                                                                                  • Opcode Fuzzy Hash: 3ea4ae6532bd076bdf731e5837ff91e02d8a86403d4981ffdd6702dc93cfa768
                                                                                                  • Instruction Fuzzy Hash: 49D0C971E15208EF8748DFA8DD1199DB7F9EB45215B1185FAA809D3250EF315E10DB81
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 027223BC Relevance: .0, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.4567015636.0000000002722000.00000040.00000800.00020000.00000000.sdmp, Offset: 02722000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_8_2_2722000_svchost.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 68dc4f93f4e7737816e74f9e9f0ada935578251733e530294a22b3fb3212a3fe
                                                                                                  • Instruction ID: 1f56e7cc7cfcceac266dd48bfd18c208ab46720adfca53be592ca5872018e7be
                                                                                                  • Opcode Fuzzy Hash: 68dc4f93f4e7737816e74f9e9f0ada935578251733e530294a22b3fb3212a3fe
                                                                                                  • Instruction Fuzzy Hash: 50D05E342002814BC719DB0CC2D4F5937D4AF80719F0644E8AC108B773C7A4E8C4CA00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:14.6%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:52
                                                                                                  Total number of Limit Nodes:4
                                                                                                  execution_graph 1729 b2aa12 1730 b2aa67 1729->1730 1731 b2aa3e SetErrorMode 1729->1731 1730->1731 1732 b2aa53 1731->1732 1776 b2a573 1777 b2a59a DuplicateHandle 1776->1777 1779 b2a5e6 1777->1779 1780 b2af76 1781 b2afaa CreateMutexW 1780->1781 1783 b2b025 1781->1783 1764 b2ac37 1766 b2ac6a GetFileType 1764->1766 1767 b2accc 1766->1767 1784 b2aa75 1786 b2aaa6 CreateFileW 1784->1786 1787 b2ab2d 1786->1787 1733 b2a59a 1734 b2a610 1733->1734 1735 b2a5d8 DuplicateHandle 1733->1735 1734->1735 1736 b2a5e6 1735->1736 1737 b2abbe 1738 b2abea FindCloseChangeNotification 1737->1738 1739 b2ac29 1737->1739 1740 b2abf8 1738->1740 1739->1738 1741 b2a65e 1742 b2a6c0 1741->1742 1743 b2a68a OleInitialize 1741->1743 1742->1743 1744 b2a698 1743->1744 1772 b2a61e 1773 b2a65e OleInitialize 1772->1773 1775 b2a698 1773->1775 1768 b2a9bf 1769 b2a9c9 SetErrorMode 1768->1769 1771 b2aa53 1769->1771 1788 b2ab7c 1789 b2abbe FindCloseChangeNotification 1788->1789 1791 b2abf8 1789->1791 1745 b2aaa6 1747 b2aade CreateFileW 1745->1747 1748 b2ab2d 1747->1748 1749 b2afaa 1752 b2afe2 CreateMutexW 1749->1752 1751 b2b025 1752->1751 1760 b2adee 1761 b2ae23 WriteFile 1760->1761 1763 b2ae55 1761->1763 1792 b2a6ce 1793 b2a72e OleGetClipboard 1792->1793 1795 b2a78c 1793->1795 1796 b2adce 1798 b2adee WriteFile 1796->1798 1799 b2ae55 1798->1799

                                                                                                  Callgraph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  • Opacity -> Relevance
                                                                                                  • Disassembly available
                                                                                                  callgraph 0 Function_00B2B0B2 1 Function_00E301E1 5 Function_010F0606 1->5 83 Function_010F05DF 1->83 2 Function_00E337E1 3 Function_00B2A2B0 4 Function_00B2A7B0 6 Function_00B2ABBE 7 Function_00B2A0BE 8 Function_00B2A9BF 9 Function_00B223BC 10 Function_00E336F0 11 Function_00B2AAA6 12 Function_00B2AFAA 13 Function_00B2A3A8 14 Function_010F0711 15 Function_00E302C0 37 Function_00E300B8 15->37 16 Function_00B2AE97 17 Function_00B22194 18 Function_00B2A59A 19 Function_00B22098 20 Function_00E33FC8 21 Function_00E33DCC 22 Function_00B2A186 23 Function_00B2A384 24 Function_00E336DF 25 Function_00B2268D 26 Function_00B221F0 27 Function_00B223F4 28 Function_010F0648 46 Function_010F066A 28->46 29 Function_00B225FA 30 Function_00B2ACF8 31 Function_00E300A8 31->5 38 Function_00E339BF 31->38 60 Function_00B2A23A 31->60 74 Function_00B2A20C 31->74 31->83 91 Function_00E33802 31->91 102 Function_00E33B18 31->102 32 Function_00E336A8 32->5 32->10 32->83 33 Function_00B2A2FE 34 Function_010F0040 35 Function_010F0740 36 Function_00E302B1 36->37 37->5 37->38 37->60 37->74 37->83 37->91 37->102 39 Function_00B2ADEE 40 Function_00B226EC 41 Function_00B2AED2 42 Function_00B2A2D2 43 Function_00B220D0 44 Function_010F026D 45 Function_00B2A7D1 47 Function_00B2A4D8 48 Function_010F067F 49 Function_00E30290 50 Function_010F077B 51 Function_00B224C5 52 Function_00B2A3CA 53 Function_010F0074 54 Function_00B2A6CE 55 Function_00B2ADCE 56 Function_00B22430 57 Function_00B2A836 58 Function_00E33C66 59 Function_00B2AC37 61 Function_00E34269 61->10 62 Function_00B2213C 63 Function_00B2A72E 64 Function_00B2A02E 65 Function_00B2AA12 66 Function_00E30449 67 Function_00E3414F 68 Function_00B2A61E 69 Function_010F05BF 70 Function_00B22006 71 Function_00B2A005 72 Function_00B2A50A 73 Function_00E3265A 75 Function_00B2A472 76 Function_010F05CF 77 Function_00B2A573 78 Function_00B2AF76 79 Function_00B2B074 80 Function_00B2AA75 81 Function_00B2A078 82 Function_00B2AB7C 84 Function_00B22561 85 Function_00B22364 86 Function_00B22264 87 Function_00B2A865 88 Function_00B2AC6A 89 Function_00E34238 90 Function_00B2AD52 92 Function_00E33D01 93 Function_00E34200 94 Function_00B22458 95 Function_00B2A65E 96 Function_00E33011 97 Function_00B2A140 98 Function_00E34210 99 Function_00E30014 99->5 99->31 99->37 99->83 100 Function_00B2A44A 101 Function_00E30118 101->5 101->38 101->83 101->91 101->102

                                                                                                  Executed Functions

                                                                                                  Function 00E300B8 Relevance: 5.1, Strings: 4, Instructions: 93COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 e300b8-e300cd 22 e300d0 call 10f05df 0->22 23 e300d0 call b2a23a 0->23 24 e300d0 call 10f0606 0->24 25 e300d0 call b2a20c 0->25 2 e300d5-e300f7 5 e3010b-e301d5 2->5 6 e300f9-e3010a 2->6 26 e301d5 call 10f05df 5->26 27 e301d5 call e33802 5->27 28 e301d5 call 10f0606 5->28 29 e301d5 call e33b18 5->29 30 e301d5 call e339bf 5->30 21 e301db-e301de 22->2 23->2 24->2 25->2 26->21 27->21 28->21 29->21 30->21
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267384332.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_e30000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl$2Gl$5]&l^$E]&l^
                                                                                                  • API String ID: 0-2992499262
                                                                                                  • Opcode ID: 299b23d2232c2334e44b48e09a5031da8ea199986040a5d9c576314c49eb2e12
                                                                                                  • Instruction ID: 25c78d5e3bc5861fbba87f49feca27738e5f00aacf4748f929b425b573b5988d
                                                                                                  • Opcode Fuzzy Hash: 299b23d2232c2334e44b48e09a5031da8ea199986040a5d9c576314c49eb2e12
                                                                                                  • Instruction Fuzzy Hash: 2031E031B052405FC308EBB9D811FAE7BA79BC2608F1484AED0419FB96CF768C0987E1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E30118 Relevance: 5.1, Strings: 4, Instructions: 56COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 31 e30118-e30169 36 e30174-e3017a 31->36 37 e30181-e301bd 36->37 42 e301c8-e301d5 37->42 45 e301d5 call 10f05df 42->45 46 e301d5 call e33802 42->46 47 e301d5 call 10f0606 42->47 48 e301d5 call e33b18 42->48 49 e301d5 call e339bf 42->49 44 e301db-e301de 45->44 46->44 47->44 48->44 49->44
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267384332.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_e30000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl$2Gl$5]&l^$E]&l^
                                                                                                  • API String ID: 0-2992499262
                                                                                                  • Opcode ID: 1014fdc95cfe7e159babfc2f4fe036ee5341621123dd5976588747663f96ad0b
                                                                                                  • Instruction ID: 5de6b6fa9d1ad52262f9718703d1d95b4a96e15fd31410483d0a5b2e9e690975
                                                                                                  • Opcode Fuzzy Hash: 1014fdc95cfe7e159babfc2f4fe036ee5341621123dd5976588747663f96ad0b
                                                                                                  • Instruction Fuzzy Hash: F2119A35B042404BC314E7B9E811FAE7A935BC1608B64806ED0819FF56CF768C0A87E2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E33802 Relevance: 3.0, Strings: 2, Instructions: 495COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 50 e33802-e33911 67 e33913 50->67 68 e33917-e33919 50->68 69 e33915 67->69 70 e3391b 67->70 71 e33920-e33927 68->71 69->68 70->71 72 e339bd-e33adf 71->72 73 e3392d-e339b2 71->73 97 e33ae1-e33b51 72->97 98 e33b5b-e33bae 72->98 73->72 97->98 105 e33bb0 98->105 106 e33bb5-e33bcf 98->106 105->106 109 e33bd1-e33bfb 106->109 110 e33c06-e33cbb 106->110 109->110 121 e33d43 110->121 122 e33cc1-e33cff 110->122 123 e341dd-e341e8 121->123 122->121 125 e33d48-e33d66 123->125 126 e341ee-e341f5 123->126 129 e33d71-e33d7c 125->129 130 e33d68-e33d6e 125->130 133 e34193-e341db 129->133 134 e33d82-e33d96 129->134 130->129 133->123 136 e33d98-e33dca 134->136 137 e33e0e-e33e1f 134->137 136->137 139 e33e21-e33e4b 137->139 140 e33e6f-e33e7d 137->140 139->140 150 e33e4d-e33e67 139->150 141 e33e83-e33f36 140->141 142 e34191 140->142 163 e33fc6-e340bd 141->163 164 e33f3c-e33fbf 141->164 142->123 150->140 179 e340c3-e34146 163->179 180 e3414d 163->180 164->163 179->180 180->142
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267384332.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_e30000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: \OGl$2Gl
                                                                                                  • API String ID: 0-915996941
                                                                                                  • Opcode ID: 1e7aba9627e4b7d7371d850dfffaeaf818fd090a0f6d152fd10438e1dff0efc7
                                                                                                  • Instruction ID: d7547fb87264dc33f5a907383231606601dea7f7f70fc1835c66b7615ce7e0d3
                                                                                                  • Opcode Fuzzy Hash: 1e7aba9627e4b7d7371d850dfffaeaf818fd090a0f6d152fd10438e1dff0efc7
                                                                                                  • Instruction Fuzzy Hash: D6323A34A00218CFDB14EF78C954BEDBBB2AF48308F1045A9D409ABB95DB759E85CF90
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 186 b2aa75-b2aafe 190 b2ab03-b2ab0f 186->190 191 b2ab00 186->191 192 b2ab11 190->192 193 b2ab14-b2ab1d 190->193 191->190 192->193 194 b2ab6e-b2ab73 193->194 195 b2ab1f-b2ab43 CreateFileW 193->195 194->195 198 b2ab75-b2ab7a 195->198 199 b2ab45-b2ab6b 195->199 198->199
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00B2AB25
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 823142352-0
                                                                                                  • Opcode ID: 734fadeda468f417fe73a14ff99edb466910a23a3b0d09e94d508e7be68e7de3
                                                                                                  • Instruction ID: 2aad5e4c98c2e0b6ce35d1d560bb99c5cee77e7ea444c5a5bb47f54063e13935
                                                                                                  • Opcode Fuzzy Hash: 734fadeda468f417fe73a14ff99edb466910a23a3b0d09e94d508e7be68e7de3
                                                                                                  • Instruction Fuzzy Hash: 54317E71509380AFE721CF65DC85F56BBF8EF05710F0884DEE9898B652D365E809CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2AF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 202 b2af76-b2aff9 206 b2affb 202->206 207 b2affe-b2b007 202->207 206->207 208 b2b009 207->208 209 b2b00c-b2b015 207->209 208->209 210 b2b066-b2b06b 209->210 211 b2b017-b2b03b CreateMutexW 209->211 210->211 214 b2b06d-b2b072 211->214 215 b2b03d-b2b063 211->215 214->215
                                                                                                  APIs
                                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 00B2B01D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateMutex
                                                                                                  • String ID:
                                                                                                  • API String ID: 1964310414-0
                                                                                                  • Opcode ID: 55dfed90e6868df239efa09ac7364b44215702260ab8f9c818a0000c103edfed
                                                                                                  • Instruction ID: 4fa656b276cd4ac5e71a92e37a1fbd36d8b96138edfad3a649ef00df934d7e33
                                                                                                  • Opcode Fuzzy Hash: 55dfed90e6868df239efa09ac7364b44215702260ab8f9c818a0000c103edfed
                                                                                                  • Instruction Fuzzy Hash: 2F3172715093806FE712CB65DC45F96BFF8EF06310F1884DAE948CB292D365A909C762
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 218 b2a6ce-b2a72b 219 b2a72e-b2a786 OleGetClipboard 218->219 221 b2a78c-b2a7a2 219->221
                                                                                                  APIs
                                                                                                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00B2A77E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Clipboard
                                                                                                  • String ID:
                                                                                                  • API String ID: 220874293-0
                                                                                                  • Opcode ID: 0d9eabd970a877b8fef8d9170bd1adfe2f7b8da288a72ff8d50f590419a25a90
                                                                                                  • Instruction ID: 94434535d4ce1eaf015001a296a16fa0dd2ba205874e72b3b210d3519f035122
                                                                                                  • Opcode Fuzzy Hash: 0d9eabd970a877b8fef8d9170bd1adfe2f7b8da288a72ff8d50f590419a25a90
                                                                                                  • Instruction Fuzzy Hash: 5C317E7114D3C06FD3138B259C61B62BFB8EF47614F0A40CBE884CB6A3D2296919D772
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 222 b2aaa6-b2aafe 225 b2ab03-b2ab0f 222->225 226 b2ab00 222->226 227 b2ab11 225->227 228 b2ab14-b2ab1d 225->228 226->225 227->228 229 b2ab6e-b2ab73 228->229 230 b2ab1f-b2ab27 CreateFileW 228->230 229->230 232 b2ab2d-b2ab43 230->232 233 b2ab75-b2ab7a 232->233 234 b2ab45-b2ab6b 232->234 233->234
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00B2AB25
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 823142352-0
                                                                                                  • Opcode ID: a926fa8bef5948035ef1d9873fac61afebd02f9933b5ce50bd503b1ebf172731
                                                                                                  • Instruction ID: 985df32dcde07c027a58a0b3f7bc29dc9c0c4468ea9a9e4e112c3ea716e6248a
                                                                                                  • Opcode Fuzzy Hash: a926fa8bef5948035ef1d9873fac61afebd02f9933b5ce50bd503b1ebf172731
                                                                                                  • Instruction Fuzzy Hash: 8C21B071504240AFEB20CF65DC89F66FBE8EF08710F1488AEE9498B651D375E809CB72
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 248 b2ac37-b2acb5 252 b2acb7-b2acca GetFileType 248->252 253 b2acea-b2acef 248->253 254 b2acf1-b2acf6 252->254 255 b2accc-b2ace9 252->255 253->252 254->255
                                                                                                  APIs
                                                                                                  • GetFileType.KERNELBASE(?,00000E24,31C27C25,00000000,00000000,00000000,00000000), ref: 00B2ACBD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileType
                                                                                                  • String ID:
                                                                                                  • API String ID: 3081899298-0
                                                                                                  • Opcode ID: dc0fe52ac04e5047af1906bca570b395f9fba79d538ea8430fdc361a3d33e890
                                                                                                  • Instruction ID: 50b04ced4493d3d548b0594d09de5eb719ca7efabc59f16932030c30f38c0a82
                                                                                                  • Opcode Fuzzy Hash: dc0fe52ac04e5047af1906bca570b395f9fba79d538ea8430fdc361a3d33e890
                                                                                                  • Instruction Fuzzy Hash: 8421BBB54093806FE7128B61DC44BA2BFBCDF47714F1880DBE9848B653D264A909D771
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 237 b2a9bf-b2aa3c 242 b2aa67-b2aa6c 237->242 243 b2aa3e-b2aa51 SetErrorMode 237->243 242->243 244 b2aa53-b2aa66 243->244 245 b2aa6e-b2aa73 243->245 245->244
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(?), ref: 00B2AA44
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2340568224-0
                                                                                                  • Opcode ID: 087f7bab380a4af2aad449a1356f4eaa5f7cb42e66ad68df4290180c65f1102d
                                                                                                  • Instruction ID: 8a6020e47f2070bade84bfe033c4b6af229ab54580965370c4685d854612d554
                                                                                                  • Opcode Fuzzy Hash: 087f7bab380a4af2aad449a1356f4eaa5f7cb42e66ad68df4290180c65f1102d
                                                                                                  • Instruction Fuzzy Hash: DD21486540E3C0AFDB138B259C64A51BFB4EF57624F0E81DBD8848F5A3D2689849CB72
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2AFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 259 b2afaa-b2aff9 262 b2affb 259->262 263 b2affe-b2b007 259->263 262->263 264 b2b009 263->264 265 b2b00c-b2b015 263->265 264->265 266 b2b066-b2b06b 265->266 267 b2b017-b2b01f CreateMutexW 265->267 266->267 268 b2b025-b2b03b 267->268 270 b2b06d-b2b072 268->270 271 b2b03d-b2b063 268->271 270->271
                                                                                                  APIs
                                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 00B2B01D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateMutex
                                                                                                  • String ID:
                                                                                                  • API String ID: 1964310414-0
                                                                                                  • Opcode ID: 260e2bd593842412e8e17db162aba94015a594e881e420c587e10372b7af3206
                                                                                                  • Instruction ID: f512a258cf8d65ae532f7a4e40d035b22d00438d58b56f66ca2eeb1cc206972b
                                                                                                  • Opcode Fuzzy Hash: 260e2bd593842412e8e17db162aba94015a594e881e420c587e10372b7af3206
                                                                                                  • Instruction Fuzzy Hash: B921B071504240AFE721CF65DC85FA7FBE8EF04310F1484A9E948CB651D775E809CA72
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2AB7C Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 274 b2ab7c-b2abe8 276 b2abea-b2abf2 FindCloseChangeNotification 274->276 277 b2ac29-b2ac2e 274->277 278 b2abf8-b2ac0a 276->278 277->276 280 b2ac30-b2ac35 278->280 281 b2ac0c-b2ac28 278->281 280->281
                                                                                                  APIs
                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00B2ABF0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                  • String ID:
                                                                                                  • API String ID: 2591292051-0
                                                                                                  • Opcode ID: 964626a12e79fd829151cfc340f10aac96c58854fb53a8c57cc4a6a147cc5d1e
                                                                                                  • Instruction ID: f61a8c925f86df6f10e57b9fe275e29a79b7397bc432cb4dafb7bed87f999b14
                                                                                                  • Opcode Fuzzy Hash: 964626a12e79fd829151cfc340f10aac96c58854fb53a8c57cc4a6a147cc5d1e
                                                                                                  • Instruction Fuzzy Hash: 9721CF754093C09FDB138B25EC95752BFB8EF07220F0984DBDC858F2A3D2649909CB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2ADCE Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 283 b2adce-b2ae45 287 b2ae47-b2ae67 WriteFile 283->287 288 b2ae89-b2ae8e 283->288 291 b2ae90-b2ae95 287->291 292 b2ae69-b2ae86 287->292 288->287 291->292
                                                                                                  APIs
                                                                                                  • WriteFile.KERNELBASE(?,00000E24,31C27C25,00000000,00000000,00000000,00000000), ref: 00B2AE4D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3934441357-0
                                                                                                  • Opcode ID: 70c61a1fddc535a9311917814234818acdfdd5ac3e5c176cd21132d2cd423d6e
                                                                                                  • Instruction ID: 7eaede7b244cc334908b70fe72965caaa8dc7f12dd395a683ddae2fb67a6107c
                                                                                                  • Opcode Fuzzy Hash: 70c61a1fddc535a9311917814234818acdfdd5ac3e5c176cd21132d2cd423d6e
                                                                                                  • Instruction Fuzzy Hash: AB219F71409380AFDB22CF51DC84F97FFB8EF45310F18889AE9459B552D264A909CBB2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2A61E Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 295 b2a61e-b2a688 297 b2a6c0-b2a6c5 295->297 298 b2a68a-b2a692 OleInitialize 295->298 297->298 299 b2a698-b2a6aa 298->299 301 b2a6c7-b2a6cc 299->301 302 b2a6ac-b2a6bf 299->302 301->302
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2538663250-0
                                                                                                  • Opcode ID: b0da9b641abbcc156fc0cb3a3aede81bf0008f0b8c18373cc66601640f3b7b2e
                                                                                                  • Instruction ID: 2cb02fe151291e850456a63e37302f44302f55d9df307b28606811f356c29004
                                                                                                  • Opcode Fuzzy Hash: b0da9b641abbcc156fc0cb3a3aede81bf0008f0b8c18373cc66601640f3b7b2e
                                                                                                  • Instruction Fuzzy Hash: CC21277140D3C0AFDB138B259C95A52BFB4DF07220F0984DBD9859F1A3D2699909CBA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 304 b2a573-b2a5d6 306 b2a610-b2a615 304->306 307 b2a5d8-b2a5e0 DuplicateHandle 304->307 306->307 308 b2a5e6-b2a5f8 307->308 310 b2a617-b2a61c 308->310 311 b2a5fa-b2a60d 308->311 310->311
                                                                                                  APIs
                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B2A5DE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DuplicateHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3793708945-0
                                                                                                  • Opcode ID: b4d8d64584834b15a25911cd985f03aa1a9cdde4c87b8df1166ad6e0de9944aa
                                                                                                  • Instruction ID: 2d3fb7f7cc5aac13c5ce31ba27efdd55dbacbbd5bcdd4d51c763c68eebe1f9a0
                                                                                                  • Opcode Fuzzy Hash: b4d8d64584834b15a25911cd985f03aa1a9cdde4c87b8df1166ad6e0de9944aa
                                                                                                  • Instruction Fuzzy Hash: A0117271409380AFDB228F51DC44B62FFF4EF4A310F0888DAED858B562D275A919DB62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 313 b2adee-b2ae45 316 b2ae47-b2ae4f WriteFile 313->316 317 b2ae89-b2ae8e 313->317 318 b2ae55-b2ae67 316->318 317->316 320 b2ae90-b2ae95 318->320 321 b2ae69-b2ae86 318->321 320->321
                                                                                                  APIs
                                                                                                  • WriteFile.KERNELBASE(?,00000E24,31C27C25,00000000,00000000,00000000,00000000), ref: 00B2AE4D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3934441357-0
                                                                                                  • Opcode ID: 648c6d4de9d5aa6a4525f459af4dbd36829685c6f31d64fe73de085dcb0a4157
                                                                                                  • Instruction ID: 6cd4024af51ef4b0dce96718ba67ce9727baa97180b3a86a78baf0b97b4dcb3c
                                                                                                  • Opcode Fuzzy Hash: 648c6d4de9d5aa6a4525f459af4dbd36829685c6f31d64fe73de085dcb0a4157
                                                                                                  • Instruction Fuzzy Hash: 0111C471400300EFEB21DF51DC85FA6FBF8EF04714F24889AE9499B651D374A41A8BB2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetFileType.KERNELBASE(?,00000E24,31C27C25,00000000,00000000,00000000,00000000), ref: 00B2ACBD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileType
                                                                                                  • String ID:
                                                                                                  • API String ID: 3081899298-0
                                                                                                  • Opcode ID: 53994e2764d8e9a8f94deb84b43a01488dce35db5dac3de4743f550308e5776f
                                                                                                  • Instruction ID: f22376d890c9b89239afff09375752f974592b58c6f003684ae7086e5cc3cc5a
                                                                                                  • Opcode Fuzzy Hash: 53994e2764d8e9a8f94deb84b43a01488dce35db5dac3de4743f550308e5776f
                                                                                                  • Instruction Fuzzy Hash: 1B01D271504200AFE720CB11EC84BA6F7E8DF44724F24C49AED098B791D774E8498AB2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B2A5DE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DuplicateHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3793708945-0
                                                                                                  • Opcode ID: 3022fbd3872cad946e8000741fadac7f6f7c4ae90e2641af5e95134e21b1cd5d
                                                                                                  • Instruction ID: a80b5835d708577ef7ee26196fc6d87f397605079a504ea960a75a9c16feadc5
                                                                                                  • Opcode Fuzzy Hash: 3022fbd3872cad946e8000741fadac7f6f7c4ae90e2641af5e95134e21b1cd5d
                                                                                                  • Instruction Fuzzy Hash: 27016D72400740DFDB218F95E984B52FFE4EF08720F08899AEE494B661D376E419DF62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2ABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00B2ABF0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                  • String ID:
                                                                                                  • API String ID: 2591292051-0
                                                                                                  • Opcode ID: 826345d66a4a4f22594f41482a1e055e4b9f189f90772a610740111e84f21376
                                                                                                  • Instruction ID: 80e91788a21188e7390ec4a8c2fbdbc3063d8377dca4bbcc4fe3f806797a170f
                                                                                                  • Opcode Fuzzy Hash: 826345d66a4a4f22594f41482a1e055e4b9f189f90772a610740111e84f21376
                                                                                                  • Instruction Fuzzy Hash: E9018F71904240DFDB109F66ED85766FBE4EF04320F08C4EADD498F652D675E809CA62
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 00B2A77E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Clipboard
                                                                                                  • String ID:
                                                                                                  • API String ID: 220874293-0
                                                                                                  • Opcode ID: 354a4e222182ddb08d41b1190f176c71660710f5b5e55aad2d2946ebaa10a8cf
                                                                                                  • Instruction ID: 215aa95bab99629afe43deb10a3597ce99f7774bb0924a5f6a745ce54988f8b2
                                                                                                  • Opcode Fuzzy Hash: 354a4e222182ddb08d41b1190f176c71660710f5b5e55aad2d2946ebaa10a8cf
                                                                                                  • Instruction Fuzzy Hash: 80016271600600ABD210DF16DC86B66FBF8FB88A20F148159ED089BB41D775F915CBE5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2538663250-0
                                                                                                  • Opcode ID: 4451cdefdaead8e56e6c1a72b7a2c900bf8a40d66145fa2d467966e197273785
                                                                                                  • Instruction ID: 31c038331ad7847588307f34e10bf923c7ab3f142c927445540312edbf2309c0
                                                                                                  • Opcode Fuzzy Hash: 4451cdefdaead8e56e6c1a72b7a2c900bf8a40d66145fa2d467966e197273785
                                                                                                  • Instruction Fuzzy Hash: 96016D71804240DFDB11CF56E989766FBE4EF04720F18C8EADD498F662D375A409CEA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B2AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(?), ref: 00B2AA44
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266828057.0000000000B2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2A000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b2a000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2340568224-0
                                                                                                  • Opcode ID: 3844192b508a8acdab400b2829557d386ecdd4e0f37a5a17c7af5203cbf8367c
                                                                                                  • Instruction ID: e1ecb797b442e472d17e609467cbad3e295fa451a38bc599af9d8f74896eccda
                                                                                                  • Opcode Fuzzy Hash: 3844192b508a8acdab400b2829557d386ecdd4e0f37a5a17c7af5203cbf8367c
                                                                                                  • Instruction Fuzzy Hash: 96F0AF35800240DFDB208F16E984761FBE4EF09B24F08C0DADD494B752D379E909CEA2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E339BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267384332.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_e30000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl
                                                                                                  • API String ID: 0-4153197625
                                                                                                  • Opcode ID: ac1cdd4f55efbf879af0e75f0b8ca7bf47d96b597fe570acdbb9ff9b6d375cb0
                                                                                                  • Instruction ID: f49f04ea2aeadf97897d41e151fbbdeee228218b4e7f2a49ecf29456907be5e6
                                                                                                  • Opcode Fuzzy Hash: ac1cdd4f55efbf879af0e75f0b8ca7bf47d96b597fe570acdbb9ff9b6d375cb0
                                                                                                  • Instruction Fuzzy Hash: EE817C30A00218CFDB14EFB8C955BEDB7B2AF49308F5045A9D009AB7A4DB759E85CF51
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E33B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267384332.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_e30000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 2Gl
                                                                                                  • API String ID: 0-4153197625
                                                                                                  • Opcode ID: d41c92abe30a90a79dd37241ccdd458b82a2121af9a85b7df7777ed68d9e7af7
                                                                                                  • Instruction ID: 63767a96bc7c319be7eb7f19e31d37b583e537e7ca80946e02ff0705d6358c15
                                                                                                  • Opcode Fuzzy Hash: d41c92abe30a90a79dd37241ccdd458b82a2121af9a85b7df7777ed68d9e7af7
                                                                                                  • Instruction Fuzzy Hash: 92415B30A002188FDB14EFB9C955BECB7B2BF48308F5041A9D009ABA65DB745E44CF61
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E302C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267384332.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_e30000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: :@ l
                                                                                                  • API String ID: 0-533218248
                                                                                                  • Opcode ID: 3e8b0a83a0c30d2ef5412aa09599eb33d5f07dfc3774afa8c0c09e20663bb658
                                                                                                  • Instruction ID: c80efebf1745187294508a35269d15a9d1e2ce95f6d8fba08fb94d09a8d2c3a9
                                                                                                  • Opcode Fuzzy Hash: 3e8b0a83a0c30d2ef5412aa09599eb33d5f07dfc3774afa8c0c09e20663bb658
                                                                                                  • Instruction Fuzzy Hash: 0E3193307002159FDB04B7B9D8117BE37AB9B8820DF1044299505EBBA5DF399D06CBE1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E336F0 Relevance: .1, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267384332.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_e30000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b78e49a5b77f132d276a949a01d0dfcc2c87722aa4ff3bc39bb973725135470b
                                                                                                  • Instruction ID: 0f6af5bcd4d0338e3c7ba68973d0a30c8fb2d0992f82acb3417ccca30a66d07d
                                                                                                  • Opcode Fuzzy Hash: b78e49a5b77f132d276a949a01d0dfcc2c87722aa4ff3bc39bb973725135470b
                                                                                                  • Instruction Fuzzy Hash: 0A215CB5B002159FEB10DB69C880BAA77E5FF89708F240469E501EBB94EB70FD048B90
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E30014 Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267384332.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_e30000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9aa972efb6ddbd69ab251452231cecfcb8f4c2bf779182097d1f42fc906ad34d
                                                                                                  • Instruction ID: 5b9b484782d42907db3fdd3613b55e1cd0a8f58bd6e58d038148b567b3bbe92d
                                                                                                  • Opcode Fuzzy Hash: 9aa972efb6ddbd69ab251452231cecfcb8f4c2bf779182097d1f42fc906ad34d
                                                                                                  • Instruction Fuzzy Hash: D901165544F3C11FC30387349C296863FB15A13608B5E84DBD0849F5F7D66D490EC7A2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 010F05DF Relevance: .0, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267575735.00000000010F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_10f0000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 722fd3c3e0835aacd92bc5106c907bfc3cf41df67ef9894d2d8ef5168b5d82c5
                                                                                                  • Instruction ID: f6e145211ab06e5e8086cb131a4ea23e8da5d83c8b5547d0958dcaf5ef63e7a2
                                                                                                  • Opcode Fuzzy Hash: 722fd3c3e0835aacd92bc5106c907bfc3cf41df67ef9894d2d8ef5168b5d82c5
                                                                                                  • Instruction Fuzzy Hash: B801D6B65093806FD7128F16EC45863FFB8DB86520708C4EFE8498B652D225A909CBB2
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E301E1 Relevance: .0, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267384332.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_e30000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 14a1da125220038b4a5cea9858d10e3768f45dfbfac20d639906b5ba9af92b7d
                                                                                                  • Instruction ID: 968e4c75d2f805c3592a7fa925d0c88bbce10358e8d1f5fe38614808070235d9
                                                                                                  • Opcode Fuzzy Hash: 14a1da125220038b4a5cea9858d10e3768f45dfbfac20d639906b5ba9af92b7d
                                                                                                  • Instruction Fuzzy Hash: 82014C30606642DFCB04EB7AD54858DBBE1AF8830DF24886CE44D8B726DB70A8459B92
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E300A8 Relevance: .0, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267384332.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_e30000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6f0768dfdeaf0234be82ce5847db16fc2987a1def94fc20458c37692fa26fc42
                                                                                                  • Instruction ID: 02b65923bd87976763131024d104e36ed6105e114907a2b54e66046b9761a385
                                                                                                  • Opcode Fuzzy Hash: 6f0768dfdeaf0234be82ce5847db16fc2987a1def94fc20458c37692fa26fc42
                                                                                                  • Instruction Fuzzy Hash: ABF0FC76A013445FDB08DAB08812BAE7F739F81714F1085AED5459B2D1DA754D41C740
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 010F0606 Relevance: .0, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267575735.00000000010F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_10f0000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2d754c4e8bcc9f5c9c5dc23c344c360b7b499b2dfeda1c8feb0549d2ec132d3d
                                                                                                  • Instruction ID: e12ba51ef499660aab52fe99eaf83f45f7072385f40c6f1694977c447099a587
                                                                                                  • Opcode Fuzzy Hash: 2d754c4e8bcc9f5c9c5dc23c344c360b7b499b2dfeda1c8feb0549d2ec132d3d
                                                                                                  • Instruction Fuzzy Hash: 64E092B66006008B9650DF0BFD81452F7E8EB88630708C47FDC0E8B711E235B509CEA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00E336A8 Relevance: .0, Instructions: 17COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2267384332.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_e30000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 226f664f328df0ad714853fe1962dfd45b9a38e8d682e1ceb630c19d76ddc9be
                                                                                                  • Instruction ID: 19343cc194644766dcfd50f4f7ff5297e542a78fc3b5f2800e414d335c426f73
                                                                                                  • Opcode Fuzzy Hash: 226f664f328df0ad714853fe1962dfd45b9a38e8d682e1ceb630c19d76ddc9be
                                                                                                  • Instruction Fuzzy Hash: 97D05E31246304CFDB092B78A41569C3766AB9630DBA408BDD4060B795EF3AF882CA40
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B223F4 Relevance: .0, Instructions: 15COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266814954.0000000000B22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B22000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b22000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 81e44b0315fb032859a35ffb592919daceb4657cece4dfa22acd6d2a8dff209d
                                                                                                  • Instruction ID: ccc91228645e9ad37c329505b900d40cb24b51753a7df67b7b5e89f3ea79744b
                                                                                                  • Opcode Fuzzy Hash: 81e44b0315fb032859a35ffb592919daceb4657cece4dfa22acd6d2a8dff209d
                                                                                                  • Instruction Fuzzy Hash: ABD02E392006D04FD312AB0CD1A5B8537D4AB80704F0A00FAAC00CB773C768E8C0C610
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B223BC Relevance: .0, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000F.00000002.2266814954.0000000000B22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B22000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_15_2_b22000_Explower.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3b0d0b53a2410f6d18c0818637aaeeaf1361cc17de4ec3ae01ff3cb4759434b7
                                                                                                  • Instruction ID: ff8c242b887ea2bbcc7ad44de7af23a8a21a955c06a3bb28aa362e45277e6862
                                                                                                  • Opcode Fuzzy Hash: 3b0d0b53a2410f6d18c0818637aaeeaf1361cc17de4ec3ae01ff3cb4759434b7
                                                                                                  • Instruction Fuzzy Hash: 6ED05E342002815FC719DB0CD2D4F5937D4AF80715F0644E8AC10CB772C7A8E8C1CA00
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%